Re: [dev] dl.suckless.org file integrity github project

From: Mattias Andrée <maandree_AT_kth.se>
Date: Wed, 23 Aug 2017 23:10:02 +0200

On Wed, 23 Aug 2017 22:29:17 +0200
Markus Teich <markus.teich_AT_stusta.mhn.de> wrote:

> Mattias Andrée wrote:
> > If the server's authenticity can be proven with HTTPS,
> > what additional secure does PGP-signatures provide?
>
> Some people trust persons they know more than they trust random corporations
> with questionable security policies. Other people think PGP sucks. I don't know
> which group has the majority in the suckless community, thus I asked for a
> gentle vote by flamewar.
>
> I count myself to the PGP proponents, but have to admit, that I might be too
> lazy to check the PGP signatures myself.
>
> --Markus
>

In general PGP is good (of course, cryptography inherently sucks, but that's
something we have to live with it), but it's just a hassle when in comes to
software packages.

There a few things to take into consideration when deciding what do here:

* The number of people that actually know the developers of a individual
  package is negligible, so there isn't actually anyone that the users can
  trust.

* It's probably easier to trust the developers than suckless itself.

* If a user verifies that there is no history of malice up to a signed
  release, the user can to some extent trust the developer and the
  developer's signature can be used to verify that no one else on suckless
  cause the server to upload a malicious version.

* An alternative to signature files is to sign the tags in Git, and those
  that care enough could pull releases from git instead.

* Signature files allows all developers, not just the owner, to sign the
  release.

* If signature files are added, people will probably make packages in
  repositories, such as the AUR, check the signature which can be a burden
  on the users which must add the developer's key to the keyring or disable
  signature checks.

* If someone with root access to the suckless servers want to replace a
  release, he can serve the genuine version of the site to everyone who has
  connected to the server previously, and server a malicious version to new
  visitors, and have the PGP keys changed.

* If a developer publishes a release, only root and that developer should
  be able to replace the release.

* So do PGP keys actually add any security if have HTTPS, or do they just
  give a false sense of security.
Received on Wed Aug 23 2017 - 23:10:02 CEST