ID: 140PHID: PHID-TASK-fmfckf46hede24dqp4hjAuthor: PatrickStatus at Migration Time: openPriority at Migration Time: Normal
Migrated from:https://github.com/Whonix/Whonix/issues/125
Debian has no good mechanism to revoke apt keys in case of compromise, neither a way to inform users in emergency situations:https://lists.debian.org/debian-security/2013/10/msg00065.html
An apt key revoker should be written:https://lists.debian.org/debian-security/2013/12/msg00031.html
And up-streamed to Debian.
Keyservers may not be used: [Sks-devel] How much load are keyservers willing to handle?
The code for downloading the revocation certificates should be configurable.
.d style configuration folder. Where distributions and PPA’s can drop configuration snippets. Using arrays.
Code should be re-usable for Whonix News key revocation as well (using configuration snippet).
Related:
Implementation:sh vs #bash [arrays] vs #python vs ...) as more sophisticated implementation plans materialized.
2016-12-16 02:55:57 UTC
2016-12-16 23:27:54 UTC
2016-12-16 23:50:40 UTC
2016-12-17 01:02:41 UTC
HulaHoop (HulaHoop):
To avoid getting into a trust bootstrapping nightmare - its not
Emergency news should only inform about the new key. Not add the new
The emergency
added here:Dev/project-news - Kicksecure
In a sense the emergency
Should use multi sig (key splitting).
The Debian apt signing key is on an official debian.org server. The
They would need at least a 7/12 signature to create the Debian apt
Source:ftp-master.debian.org Archive Signing Keys
So by using multi sig and not keeping the the emergency news signing key
Added here:Dev/project-news - Kicksecure
Should revocation be automated? IMO nothing should ever be done
Perhaps it should be checked for revocation certificates on every run of
The key handling/revoking should be done via GPG itself of course.
I’d advice against signing the emergency news on any official debian.org
Language choice: Up to you. Whichever you are comfortable with is
What do you mean by language choice? Do you mean the final wording of
I am not eager to do the clean wording of the proposals.
I did not get the feeling that keyserver use is unwelcome however
Made a note here:Dev/apt-revoker - Whonix
We now have two proposals.
There will be some overlap.
I guess we should present only one concept at a time? Perhaps start with
(Doesn’t mean we cannot already discuss/write the emergency-news
2016-12-18 00:37:08 UTC
Perhaps it should be checked for revocation certificates on every run of apt-get update but not otherwise automated?
By “automating” it can run with apt-update even with an apt.cron setup maybe?
What do you mean by language choice?
Bash vs Python
I guess we should present only one concept at a time? Perhaps start with apt-revoker?
Yes.
There will be some overlap.
Both tools can be used together in some situations but they are very different in what they do. If this is presented clear enough the overlap in people’s minds should be eliminated.
(Doesn’t mean we cannot already discuss/write the emergency-news proposal. We can discuss/write any concept as thoughts are incoming.)
Right.
2016-12-18 12:53:32 UTC
2016-12-18 13:38:24 UTC
Renamed from emergency news to project news. It does not have to be limited to emergencies if it’s configureable. Users could subscribe to various channels, i.e. emergencies only, testers wanted etc.
Dev/project-news - Kicksecure
Added more points:
Should only distributions be allowed to drop in news plugins or application packages also?
2016-12-18 15:13:50 UTC
2016-12-18 15:38:48 UTC