www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Koch <tho...@koch.ro>
Subject secure distributions was: jar signing
Date Fri, 16 Sep 2011 07:40:19 GMT
Hi,

I'm very happy to see the topic of secure binaries raised. I'm very worried 
that it's virtually impossible to do java development without compromising the 
security of every machine involved.[1]

Since I come from Debian I thought some background about the security model of 
the Debian archive could be of interest:

http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-
pack-sign
http://www.cryptnet.net/fdp/crypto/strong_distro.html

Some bulletpoints (disclaimer: I'm not an expert in this.):

* Debian Maintainers upload source code, which gets built by the archive.
* Maintainers need to have their GPG key in the Debian keyring to have upload 
permission.
* Every archive contains a signed list of the hashes of all packages included
* The archive key is renewed every year.
* The Debian process could of course still be improved. (Require two 
Maintainers to sign an upload?)

[1] Don't tell me that you can set up your own maven repo. - You're still not 
going to build everything from source and reviewing the source code of all 
dependencies and eclipse/maven plugins.

Best regards,

Thomas Koch, http://www.koch.ro

Mime
View raw message