Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
Way to have FedUp users
Posted Dec 21, 2012 0:12 UTC (Fri) by smcv (subscriber, #53363)
1. some prominent developers sign...
2. a "role" GPG key which signs...
3. a file containing cryptographic hashes of...
4. the installation media, which contain...
5. the (debian|ubuntu|...)-archive-keyring package, which contains...
6. a "role" GPG key which signs...
7. the Release file, containing cryptographic hashes of...
8. the Packages and Sources files, containing cryptographic hashes of...
9. each installable package
For a naive user who doesn't verify anything, skip directly to (4).
For upgrades, skip directly to (5) (assuming no key revocations have been required), because each release's -archive-keyring package contains the public key with which the project intends to sign the next release.
(Some prominent developers also sign (6), providing a shorter chain of trust to that.)
Posted Dec 21, 2012 17:16 UTC (Fri) by smoogen (subscriber, #97)
How does a network installer confirm the web of trust? Is there a prompt for the user to go to XYZ website and upload a key and check to see that the key matches what the website says (or some kind of prompt.. )
How does someone behind a Great Firewall of XYZ nation know that they aren't getting MITM somehow and the packages aren't fake.
Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (✭ supporter ✭, #313)
if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way
But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.
The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.
Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds