From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/20110131/002381.html | 109 ++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 zarb-ml/mageia-dev/20110131/002381.html (limited to 'zarb-ml/mageia-dev/20110131/002381.html') diff --git a/zarb-ml/mageia-dev/20110131/002381.html b/zarb-ml/mageia-dev/20110131/002381.html new file mode 100644 index 000000000..3fabfb10e --- /dev/null +++ b/zarb-ml/mageia-dev/20110131/002381.html @@ -0,0 +1,109 @@ + + + + [Mageia-dev] PGP keys and package signing + + + + + + + + + +

[Mageia-dev] PGP keys and package signing

+ Motoko-chan + motokochan at animeneko.net +
+ Mon Jan 31 05:16:36 CET 2011 +

+
+ +
On 01/30/2011 07:16 PM, nicolas vigier wrote:
+> So I propose that we use two keys :
+>   - We sign all packages from all repositories using only one key. This
+>     key is stored on the buildsystem. We can call it packages at mageia.org.
+Sounds good to me.
+
+>   - We have an other key, that we call board at mageia.org. This key is
+>     not used on any online server, and is supposed to never be changed,
+>     and should not be compromised. Only a few people have a copy of this
+>     key (some people from board ?), kept on a usb key hidden somewhere, but
+>     not on their laptop or any computer with internet connection. This key
+>     is used to sign the key packages at mageia.org (and revoke it if needed),
+>     and other official keys of the project, but never used for anything
+>     else (not for receiving encrypted messages). And the signature is
+>     sent on public keyservers.
+If possible, using a split key so that no single person can revoke a 
+signature or sign a key would be useful. This would prevent attacks 
+where an individual might be tricked into signing an attacker's key. It 
+would require multiple people to be tricked or have their systems 
+compromised to have that key compromised.
+
+
+>   - We add the board at mageia.org public key inside the urpmi package.
+>     We change urpmi so that it refuses to use any key which has not been
+>     signed by board at mageia.org. And urpmi should frequently update the
+>     keys it is using from public keyservers to check that its signature
+>     from board@ has not been revoked (or that the key self signature has
+>     not been revoked).
+What about third-party repositories, like PLF is to Mandriva? Making 
+that change would require that each of those repository owners have 
+their key signed to work with the urpmi framework. This could either 
+mean the death of urpmi for managing packages, diluting the trust of the 
+board@ key, or discouraging outside contributions.
+
+What if urpmi automatically trusts packages signed with a key signed by 
+board@ and prompt on the first install of a package that is signed by a 
+different key? The yum tool used by Fedora, RHEL, and CentOS works very 
+well by prompting on new keys.
+
+
+>   - In case we think the packages@ key may have been compromised, or is
+>     too old, or we want to change it for any other reason, we revoke the
+>     key, and/or revoke the signature from board@ so that it is no
+>     longer accepted by urpmi. We create a new key, we sign it with
+>     the board@ key and we can start to use this new key.
+Sounds good. I'd almost suggest a new packages signing key for each new 
+release that is valid for the supported life of the release plus one 
+year. It's a bit more work, but would reduce the damage a key leak would 
+cause. Unfortunately, this would bring back the problems of re-signing 
+packages when they are turned into a release.
+
+  - Michael
+
+ + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1