home  bbs  files  messages ]

      ZZLI4422             linux.debian.devel             1179 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 265 of 1179 on ZZLI4422, Thursday 9-03-25, 1:16  
  From: GUILLEM JOVER  
  To: PHILIPP KERN  
  Subj: Re: RFC: Consequences of redesign of .de  
 From: guillem@debian.org 
  
 Hi! 
  
 On Tue, 2025-09-02 at 11:16:56 +0200, Philipp Kern wrote: 
 > On 9/1/25 1:23 PM, Guillem Jover wrote: 
 > >   * Make the format extensible to other signature formats or workflows 
 > >     (such as x509, secure-boot, IMA, etc., even if there's currently no 
 > >     intention to add support for any of this). 
 > 
 > When we discussed support for IMA internally many years back we had 
 > no good answer for the key rotation problem. That feels very 
 > annoying with embedded signatures. You need to re-sign all the debs 
 > that you have in storage and need to get all signatures on disk 
 > updated - unless you generate immutable images that you can update 
 > all at once. 
  
 Right, this is something that has indeed been known to affect all 
 embedded signatures (it's on the debsig-verify TODO redesign doc for 
 example :). And something we also covered in the deb signing talks 
 in DebConf25. 
  
 I should probably have been more clear in an earlier point where 
 there's a mention of potential acceptance into the Debian archive, 
 limited by concerns over reproducibility, where the key rotation part 
 was omitted. 
  
 To be very honest, I've seen the reproducible and key rotation problems 
 to be such a concern that I don't think we'd want to have those in the 
 archive. I think embedded signatures do make sense if your primary way 
 to transport .debs is off-repos and/or you also want to track provenance, 
 have a small set of binaries, or are prepared to rebuild everything to 
 be able to re-sign (even on a stable release), otherwise for something 
 like Debian the current repo-signing has always felt superior in all 
 possible ways. 
  
 And IMA has indeed the same exact problem, where I'm also not convinced 
 at all about them for the Debian archive. Yet, I still think it would 
 be nice to have a format that might make it possible to explore that, 
 because perhaps for some organizations or distribution methods it does 
 make sense. (Because decoupling the IMA signatures from the general 
 filesystem metadata payload means injecting or changing them is going 
 to be way easier.) 
  
 Thanks, 
 Guillem 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 

[ list messages | list forums | previous | next | reply ]

search for:

328,120 visits
(c) 1994,  bbs@darkrealms.ca