Ben Collins
ben.collins at ubuntu.com
Mon Oct 24 08:52:33 CDT 2005
On Sun, Oct 23, 2005 at 01:34:40PM -0700, Matt Zimmerman wrote:
> On Sun, Oct 23, 2005 at 06:40:58PM +0200, Jeff Waugh wrote:
> > <quote who="Evan Dandrea">
> >
> > > I think this is the wrong idea. If in a future version of Ubuntu I can
> > > click on any .deb on the web and get prompted to install it, we'll have
> > > every problem with spyware that Microsoft currently faces.
> >
> > Interesting point - certainly more of a problem given that we don't have
> > individual package signing.
>
> Individual package signing isn't much better, since there's generally no
> trust path to the key. Why would you trust a key that says "I came from
> vendor <foo>" any more than a package which says "I came from vendor <foo>"?
>
> For software in official Ubuntu repositories, the trust path goes all the
> way back to the installation media.
There's always the debsig stuff that I worked on a few years back. It has
a complete policy system, and dpkg already has the capability to use it.
No one ever decided to use it in Debian because it required infrastructure
in katie to add origin keys.
IMO, something like the package keys, along with a signed Release{,.gpg}
file listing all the packages, is a more complete system.
Plus the package signing is valuable to ISV's. One could envision an
Ubuntu package signing authority, in which third-party packages can have
their origin validated via a trust web going back to Ubuntu itself.
Sounds an aweful lot like Microsoft's activex trust system, but I think
this could be done a bit better.
--
Ben Collins <ben.collins at ubuntu.com>
Developer
Ubuntu Linux
More information about the ubuntu-devel
mailing list