[RFC] gpg signed packages [Was: unofficial packages]

[Lapo Luchini <lapo at lapo dot it>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was thinking abut it (again)... but a little search avoided me a
"duplicate" proposal... So I will answer to latest messages I can find
about it, as I'm very interested in the thing.

- From message 
http://sources.redhat.com/ml/cygwin-apps/2002-07/msg00403.html

>I think we could have the keyring (a document) on the mirror sites,
>itself signed by Redhat's Software Signing Key (or CGF's personal key
>for that matter).
Having a keyring itself signed is not that useful: it doesn't add any
"trust" in the gpg trust system. Here "trust" is the central thing...
people can assume to trust the key contained in setup.exe, it would be
hard otherways, but at least on the developer side more trust is needed
IMHO: each mantainer's key should have "enough trust" in the eyes of RH
(or CFG itself, doesn't change the point as far as I'm concerned).

But how much trust is "enough"?
Let's see what other approaches are using... only one that comes to my
mind is the Debian package mantainership method: every mantainer needs a
trusted key to upload a package.

Let's see how Debian defines "trusted key"... more or less this way (I
won't quote the exact message as I opened the italian page and I am now
offline): a key is trusted if it is signed by a trusted key (with no
limit on the number of "hops") or if the mantainer can send some form of
photo-ID.
But I can't see how a photo-ID can be _really_ trusted... but is out
point to trust completely the association between the phisical person
and the signing key?
This could be good, but this is not strictly necesary: right now we're
accepting packages just trusting the "From:" header of a mail... a thing
that can't be trusted at all!
In this perspective a scan of an aknowledged photo-ID should be a good
start.
Of course Debain's main method to authenticate new mantainers is to have
them have their key signed by a previous mantainer, as their mantainers
are quite a big number of people and are present in almost any country.

I think that this method can be good enough also for us... I'm a bit
paranoid about security but reality must be faced: it is impossible that
every one of us meets CFG or a Red Hat guy.
Well... the latter wouldn't be *so* difficult, if I'm not wrong there's
a Red Hat building also in my city (Milano, Italy)... but I guess it's a
sales office, not a developing center. Moreover I don't know how much
cygwin is or must or can depend on redhat itself.
(In case this could be accepatble I would willingly go phisically there
to show my face and my ID card to some RH guy.)

As a matter of fact we cuold use the existing Debianas a source of GPG
trust: if we want to use a similiar system and we suppose that Debian
has no "Evil Intentions" we can easily assume that a long-time Debian
mantainer (with its own Debian-signed key) is enough (or more) trusted
than we need.

Looking forward for comments =)
Lapo

- --
Lapo 'Raist' Luchini
lapo@lapo.it (PGP & X.509 keys available)
http://www.lapo.it (ICQ UIN: 529796)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPY8AsmiYgizI8lL7EQLvfgCg0fcDcacz2gg8VxFXbCjoMKfpqtwAoLNz
i4M33ONDiDVIGvKUj9zfkAi9
=JzzD
-----END PGP SIGNATURE-----