LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Way to have FedUp users

Way to have FedUp users

Posted Dec 20, 2012 18:59 UTC (Thu) by smoogen (subscriber, #97)
In reply to: Way to have FedUp users by lemmings
Parent article: Fedora and secure release upgrades

Here is the 1 million dollar question... what do other distributions do? When I looked last time they pretty much did the same thing or ignored the bootstrap problem by assuming it was ok. Has that changed?

(Log in to post comments)

Way to have FedUp users

Posted Dec 21, 2012 0:12 UTC (Fri) by smcv (subscriber, #53363) [Link]

In Debian (and derivatives like Ubuntu), the chain of trust goes like this:

1. some prominent developers sign...
2. a "role" GPG key which signs...
3. a file containing cryptographic hashes of...
4. the installation media, which contain...
5. the (debian|ubuntu|...)-archive-keyring package, which contains...
6. a "role" GPG key which signs...
7. the Release file, containing cryptographic hashes of...
8. the Packages and Sources files, containing cryptographic hashes of...
9. each installable package

For a naive user who doesn't verify anything, skip directly to (4).

For upgrades, skip directly to (5) (assuming no key revocations have been required), because each release's -archive-keyring package contains the public key with which the project intends to sign the next release.

(Some prominent developers also sign (6), providing a shorter chain of trust to that.)

Way to have FedUp users

Posted Dec 21, 2012 17:16 UTC (Fri) by smoogen (subscriber, #97) [Link]

Ok thanks for that information on the Debian way of confirming the package chain.

How does a network installer confirm the web of trust? Is there a prompt for the user to go to XYZ website and upload a key and check to see that the key matches what the website says (or some kind of prompt.. )

How does someone behind a Great Firewall of XYZ nation know that they aren't getting MITM somehow and the packages aren't fake.

Way to have FedUp users

Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)

if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way

But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.

The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.

Way to have FedUp users

Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883) [Link]

You can verify the installation media by checking its hash against the list of hashes signed by the Debian CD release key, though. Now how you bootstrap that trust is obviously still an interesting exercise behind a great firewall with no friends outside.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds