Debian moving away from OpenPGP signatures

13 views
Skip to first unread message

Tony Arcieri

unread,
Jun 24, 2021, 12:54:18 PM6/24/21
to The Update Framework (TUF)
Sadly, it sounds like they're planning out how to roll their own simpler version of an OpenPGP-like subkey system rather than properly considering roles within the system and how they should be composed into a key hierarchy ala TUF:


--
Tony Arcieri

Trishank Kuppusamy

unread,
Jun 24, 2021, 4:05:57 PM6/24/21
to Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CAHOTMV%2BL2JitG-npOwNd8%2B-A_cFrBgWteumaB5pURn01Fyi_zA%40mail.gmail.com.

Trishank Kuppusamy

unread,
Jun 24, 2021, 4:17:40 PM6/24/21
to Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)
On Thu, Jun 24, 2021 at 4:05 PM Trishank Kuppusamy <trishank....@datadoghq.com> wrote:
Debian may sign its reproducible builds with TUF's sister project, in-toto, which is fantastic.

However, Debian should be careful to securely distribute and rotate the public keys for their in-toto root layout. Otherwise, the security of their reproducible builds is only as strong as the weakest link. If they take care to protect their packages against nation-state attacks, they should go all the way.

This is why Debian should use something like TUF to be the compromise-resilient protocol for in-toto and packages. They should also use sigstore to permanently record every update, and may also use it to distribute the Debian TUF root. By combining all three technologies, they will have a fully-auditable, end-to-end-secure distribution of packages, all the way from developers to end-users.

Joshua Lock

unread,
Jul 1, 2021, 7:00:51 AM7/1/21
to Trishank Kuppusamy, Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)
I reached out to the apt developers on IRC to see if there was any interest in discussing how they might use TUF, or concepts from TUF, rather than invent something new. Here’s a summary of that discussion.

The developer who responded stated that their main concern with using TUF is that it requires extensive changes to not just apt, but several Debian projects and pieces of infrastructure – therefore they evaluate that the cost/benefit ratio is too high.

On the AptSign idea, the Apt developers were surprised it had suddenly drawn so much attention when they considered it to be only some sketching towards a possible solution, not a concrete proposal. The HN thread and some other feedback has led to various updates pending to the concept.

Once the folks working on AptSign consider it a full proposal the anticipated process is that they would share it the apt team’s mailing list (de...@lists.debian.org) for discussion.

Thanks,
Joshua
-- 
Joshua Lock
VMware Open Source Technology Center

--
You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.

Trishank Kuppusamy

unread,
Jul 15, 2021, 8:53:46 PM7/15/21
to Joshua Lock, Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)
Good to hear, thanks, Joshua!

On Thu, Jul 1, 2021 at 7:00 AM Joshua Lock <jl...@vmware.com> wrote:

The developer who responded stated that their main concern with using TUF is that it requires extensive changes to not just apt, but several Debian projects and pieces of infrastructure – therefore they evaluate that the cost/benefit ratio is too high.

I may be biased, but this impression seems objectively wrong to me. While TUF may seem complicated, it is mostly in the one-time setup work. OTOH, the cost of not using TUF is nation-state attacks. How can we help change this impression? Perhaps we could arrange a call followed by a proposal?

Joshua Lock

unread,
Jul 22, 2021, 9:17:41 AM7/22/21
to Trishank Kuppusamy, Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)
I don’t think they were asserting that TUF is complicated, more that it’s integration into Debian would be complex (especially in terms of aligning folks) due to the number of components involved with no single overarching decision maker.

Joshua

Trishank Kuppusamy

unread,
Jul 22, 2021, 1:01:34 PM7/22/21
to Joshua Lock, Tony Arcieri, Dan Lorenc, Santiago Torres Arias, Marina Moore, The Update Framework (TUF)
On Thu, Jul 22, 2021 at 9:17 AM Joshua Lock <jl...@vmware.com> wrote:

I don’t think they were asserting that TUF is complicated, more that it’s integration into Debian would be complex (especially in terms of aligning folks) due to the number of components involved with no single overarching decision maker.

I see, this is fair, thanks. Perhaps third-parties can add their own TUF metadata to all the Debian (including in-toto) metadata and packages to try to protect the OSS community. We can show them how to do it, and they can decide what to do next.
Reply all
Reply to author
Forward
0 new messages