177
edits
Changes
→New URI proposal (apt:// or yum://)
For developers however the deployment of the infrastructure required to host an entire debian archive may be too much. In such circumstances however there is a very simple additional proposition which takes care of that: either a deb:// URI or simply to activate installation and execution of packages when a "http://{fqp}/packagename.deb" URL is encountered.
=== Advantages of People-based security ===
* developer keys are part of a comprehensive GPG/PGP web-of-trust that ensures that developers are actually who they say they are.
* the procedure for stores to identify developers, through that web-of-trust of GPG/PGP keys, is very straightforward (and can be automated, although full automation without some degree of responsible vetting is not recommended).
** a store could, on discovering a deliberately-malicious app, report the identity of the person directly to law enforcement authorities as well as to the web-of-trust.
* developers can be requested to GPG-sign an agreement which becomes a legally-binding contract with the store(s). this is similar to CSP. Debian Developers ''actually'' do this, very comprehensively: http://wiki.debian.org/DebianMaintainer
* the security can be upgraded on a rolling basis
** developers can publish multiple keys into the online keyring, and use the old (less secure?) one whilst they are still establishing the new one in the webring. (''note: this has actually happened in debian: a flaw was discovered in openssl and entire teams of GNU/Linux maintainers had to create new keys and revoke the old ones'').
** the "package keyring" can have new keys added to it as well; again, the old key can be used until the new (stronger?) one is well-established.
* as the store's GPG key is used to digitally-sign "Package Release Manifests", including security update manifests, stable package-list manifests and "bleeding edge" package manifests, users can correspondingly always either roll back to a stable baseline, track security updates (only) or live on the edge, at their own choosing. (''see http://ftp.uk.debian.org/debian/dists/Debian6.0.4/, note the "Release" file and its corresponding "Release.gpg" file'').
* there is '''no''' actual real link to the actual distribution of the packages once they have been signed.
** the delivery (transport method) of the packages can be done in-the-clear, over a network or any off-line mechanism that can be creatively devised
** the distribution range (mirroring) of the packages is literally unlimited (and unlimitable - even peer-to-peer is possible: see http://www.camrdale.org/apt-p2p/ )
** the limitless distribution does '''not''' impact on security, as long as "security updates" are enabled on a user's device (or otherwise regularly checked: it's a "pull" mechanism, not a "push" mechanism).
* dynamic package updates ''can'' be done, by creating a new URI schema ([[#New URI proposal (apt:// or yum://)]])
=== List of GNU/Linux Distributions that use Package Signing ===