[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Ben Reser <ben_at_reser.org>
Date: 2004-04-13 19:48:34 CEST

On Tue, Apr 13, 2004 at 01:29:53PM -0400, John Peacock wrote:
> kfogel@collab.net wrote:
> >Justin Erenkrantz <justin@erenkrantz.com> writes:
> >
> >>Yes. If I were to see a key entitled 'Subversion Release Key' on,
> >>say, 1.0.2 then for 1.1, I don't see it, I could envision that users
> >>would be legitimately concerned that the key wasn't used to sign 1.1.
> >>So, if we introduce it, I think we must intend to use it for all
> >>subsequent releases. -- justin
> >
> >
> >You know, I'm turning this over in my mind, and must finally admit
> >that I just don't know how most users would react. Probably it would
> >be different for different people.
>
> I just read through the Apache pages here:
>
> http://www.unixsoft.org/apache/httpd/#sig
> http://httpd.apache.org/dev/verification.html
>
> and although it requires multiple steps (and at least one face to face
> meeting for full trust), it is probably a workable solution for Subversion
> as well.
>
> As I understand it, the use of a shared key means that the release is
> always signed by a single key, which is itself cross-signed by multiple
> individual keys. That would mean that a given end user would have to
> install at most the shared key and one personally verified key that has
> signed the shared key in order to have a full trust relationship.
>
> Not using a shared key means that the key used to sign the release would
> vary over time. In this case, the entire contents of the project KEYS file
> be imported, but again only a single personally verified key will activate
> the web of trust. But as long as the web of trust were maintained, there
> would be no more interaction required in order to verify the signature(s).
>
> Is that a fair assessment? If so, then I don't see why the shared key is
> that significantly superior to the web of trust that Apache itself is using.

You can still use the shared key without using the web of trust at all.
Just as you would verify a release with a md5sum by checking multiple
sources of the md5sum, you can check a key length/fingeprint.

If a person rejects that as a valid way of giving a key trust then your
assessment would be correct. But this is again an individual user
decision. Obviously, we want to create the web of trust and sign the
shared key to give users as many options of verifying the key as they
can.

The flaws and potential problems IMHO aren't particularly different with
shared keys. It is easier to make a mistake with a shared key. But the
issues are the same.

The difference is Apache's technique forces all users that want to use
GPG to verify a release to buy into the web of trust. I don't believe
this is a realistic requirement. That's not to say I have anything
against the web of trust.

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 13 19:48:50 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.