Subject: Re: release authentication
To: Erik E. Fair <>
From: Simon Burge <>
List: tech-security
Date: 03/22/1999 15:41:02
"Erik E. Fair" wrote:

> We take security seriously. Not just anyone can do CVS commits, and we use
> ssh for access to our important servers.
> I think it's time to take the next step and PGP sign the CHECKSUM and MD5
> files that come with the releases we make. Partly this is to mitigate the
> attack that Ken Thompson described in his Turing Award lecture, "On
> Trusting Trust."

Would it be only necessary to sign the MD5 file - given that it's the
strongest hash that we use so far?  I wouldn't think it's necessary to
sign all the other checksum-type files (hey, we used to ship software
with just a BSD sum(1) and I wrote a program to fudge the end of the
tar file so we didn't have to update the release notes each time we
re-packed the release), and at a guess 'most everyone who takes security
that seriously would have md5 on the system downloading the release if
it wasn't a NetBSD system anyway.

> The keys can either be the personal keys of the portmasters, or we can
> generate new "role" keys for port-<foo> We should
> endeavor to cross-sign the keys we use so that we have a solid "web of
> trust."

I'm not a great user of PGP - is it possible for more than one person
(at a time, not collectively) to be able sign something with a given
key?  For example, for the last pmax release I did the release builds,
but am not the portmaster.

Other than that, sounds like a good idea.