AW: AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri May 18 20:52:45 CEST 2018
On Fri 2018-05-18 05:31:36 +0000, Fiedler Roman wrote:
> I see. If understood correctly, the trusted.gpg.d bypasses key
> management with apt-key completely, so not running into problems with
> apt-key deprecation.
I'm actually advocating avoiding trusted.gpg.d entirely as well, and
moving to explicit per-repo keyrings.
So keep trusted.gpg and trusted.gpg.d completely empty, and populate
/etc/apt/sources.list with lines like:
deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://ftp.debian.org/debian buster main
> I thought about that also, but shouldn't 99%+ of systems perform no
> pinning whatsoever of packages to repositories? In that case, the
> "wrong" repository could publish just a slightly increased package
> version number of a package from another repository.
You're asking the right questions. But please read
https://wiki.debian.org/DebianRepository/UseThirdParty#Standard_pinning
and the other sections on that page in more detail for the answers :)
> Unless my system is misconfigured or other assumptions do not hold
> true, that would imply, that the only security benefit from key
> pinning is only about maintenance, making detection/pruning of stale
> keys easier.
Another benefit is that it is a necessary prerequisite if we want to be
able to constrain some .debs (e.g. https://wiki.debian.org/UntrustedDebs
and https://wiki.debian.org/Teams/Dpkg/Spec/DeclarativePackaging) based
on their origin. This is still more work to be done, but if we can't
isolate repos from one another than it'll never work. So please don't
discount this work just because we haven't achieved all the rest of the
isolation yet.
The journey of a thousand miles begins with a single step, as they say.
--dkg
More information about the Gnupg-users
mailing list