undefined | Better HN

0 pointsacatton2y ago0 comments

TLS prevents a different kind of attack, the MitM one which you describe.

GPG signing covers this threat model but much more, the threats include:

* The server runs vulnerable software and is compromised by script-kiddies. They, then, upload arbitrary packages on the server

* The cloud provider is compromised and attackers take over the server from the admin cloud provider account.

* Attacker use a vulnerability (from SSH, HTTPd, ...) to upload arbitrary software packages to the server

GPG doesn't protect against the developer machine getting compromised, but it guarantees that what you're downloading has been issued from the developer's machine.

0 comments

jvanderbot2y ago

I agree, but I think that model of GPG is not how it's used any more. I think nowadays people upload a one-shot CI key, which is used to sign builds. So you're basically saying "The usual machine built this". Which is good information, don't get me wrong, but it's much less secure than "John was logged into his laptop and entered the password for the key that signed this"

So, you're right, that GPG verifies source, whereas TLS verifies distribution. I suppose those can be very different things.

Perhaps counter example: https://launchpad.net/~lubuntu-ci/+archive/ubuntu/stable-bac...

> The packages here are from the latest upstream release with WORK IN PROGRESS packaging, built from our repositories on Phabricator. These are going to be manually uploaded to the Backports PPA once they are considered stable.

And presumably "manually" means "signed and uploaded"

spookie2y ago

No established GNU/Linux distribution is going to half ass GPG signing as you've implied.

jvanderbot2y ago

Which part is half ass? Manual or automatic?

1 more reply

IshKebab2y ago

> They then upload arbitrary packages on the server

And change the instructions to point to a different GPG key (or none at all).

I think the only situation it possibly helps in is if you are using untrusted mirrors. But then a simple checksum does that too. No need for GPG.

jvanderbot2y ago

The "different gpg key" would be flagged by a package manager, but (critically) not this tool.

j / k navigate · click thread line to collapse

0 pointsacatton2y ago0 comments

TLS prevents a different kind of attack, the MitM one which you describe.

GPG signing covers this threat model but much more, the threats include:

* The server runs vulnerable software and is compromised by script-kiddies. They, then, upload arbitrary packages on the server

* The cloud provider is compromised and attackers take over the server from the admin cloud provider account.

* Attacker use a vulnerability (from SSH, HTTPd, ...) to upload arbitrary software packages to the server

GPG doesn't protect against the developer machine getting compromised, but it guarantees that what you're downloading has been issued from the developer's machine.

0 comments

jvanderbot2y ago

So, you're right, that GPG verifies source, whereas TLS verifies distribution. I suppose those can be very different things.

Perhaps counter example: https://launchpad.net/~lubuntu-ci/+archive/ubuntu/stable-bac...

And presumably "manually" means "signed and uploaded"

spookie2y ago

No established GNU/Linux distribution is going to half ass GPG signing as you've implied.

jvanderbot2y ago

Which part is half ass? Manual or automatic?

1 more reply

IshKebab2y ago

> They then upload arbitrary packages on the server

And change the instructions to point to a different GPG key (or none at all).

I think the only situation it possibly helps in is if you are using untrusted mirrors. But then a simple checksum does that too. No need for GPG.

jvanderbot2y ago

The "different gpg key" would be flagged by a package manager, but (critically) not this tool.

j / k navigate · click thread line to collapse