Re: Fedora based MeeGo = NoGo!
 

Though this thread needs to be renamed to "Non-debian based MeeGo = NoGo!", since:
- It all started when the move to Fedora/RPM was announced (cue ranting),
- After much discussion the fact that RPM is feature par with DEB started to settle down,
- So then came more ranting about Fedora not doing as much ARM work as Debian [dubious statement][discuss].
- Then someone correctly pointed that MeeGo was not actually based on Fedora,
- And as such the thread became about how bad it was that MeeGo was not being based in any existing distro (like Debian) [sigh].

By now, who knows what the thread is about, other than complaining that MeeGo is not based on Debian :). Maybe a link to the Debian Mobile distro in the works would work?

Re: Fedora based MeeGo = NoGo!
 

Here you are: https://garage.maemo.org/projects/moebian/ :)

Re: Fedora based MeeGo = NoGo!
 

There is link how to repartition,
https://garage.maemo.org/plugins/wik...id=1382&type=g

There in the instructions, one loads deb packets and installs them, without checking authenticity in any way.
I suggest to put corresponded GPG signed *.dsc files available also, so people can manually check and make sure there is no MITM-, nameserver-, or other attack or something.

That is one thing I have always disliked Debian systems, especially their deb-format. They do say authenticity and integrity is handled and no problems there, but developers still install deb packages blindly and cumulative security degradation can go through whole Linux community eventually. (see Thompson's trojan compiler)

At least that will be fixed with RPM-format in Meego as talked before.
http://fedoranews.org/tchung/gpg/
(later, when everything is set up, developer just builds automatically signed packages from spec-file or tarball or src.rpm-file.)
$ rpmbuild -ba --sign newpackage.spec

Re: Fedora based MeeGo = NoGo!
 

I still understand what *package format* related security problem you're referring to. RPM and DEB are equal in that regard. If you choose not to sign your packages, or the user chooses not to validate them (or take into account the results of the validation), then yes, he's exposing himself to a security risk. Whether this happens with RPM or DEB makes no difference whatsoever.

Again, in what way is this different from what debsign does ? In fact a while back uploading to the autobuilder required the package to be signed. I can understand people being more familiar/preferring one package format/manager, but please, please don't dismiss other formats because you're not familiar with them, it really helps no one.

Re: Fedora based MeeGo = NoGo!
 

And I still have to disagree.

I agree, that building GPG-signed packages can be said to be as easy or difficult in both RPM- and DEB-systems, although with rpmbuild one can do it at the same time as the building itself (--sign option), and in DEB-system developer has to use either script or two commands (dpkg-buildpackage and debsign). For developer either way should not be a problem.

But for developer, it should be a MUST to know, that (GPG) signing is nowadays necessary whenever anything is exported and that signature has to be found in the same place where the data of the package, or otherwise many users do not bother about security, and it can kickback troubles also upstream to the developer her/himself if there was trojan added somewhere in the middle.

But for a package user, there definitely IS difference, in favour of RPM over DEB.

Because RPM has the GPG signature embedded, once the signature is added, it follows the package always, whether is it offered in the web2-forum, on a usb-stick, by bluetooth, or in skype-chat, and so on.

When installing rpm package, with lower level program rpm, or with yum, or with apt (yes, apt-tools were used in Fedora before), it always checks the GPG-signature and checksums unless explicitly told not to. If GPG-public key is not in the local database or unable to be automatically retrieved, all programs will complain. Also there is a warning, don't right now remember in which state of GPG-key importing, if GPG-key itself is not seen as "trusted".

Many rpm-users, including me, will send reminders to those RPM-package makers, who forgot to sign their packages. There seldom is any good excuses why it is left unsigned. Also many complain if corresponding GPG-public key is not found from key-servers. It has become just the thing to do in RPM-based systems - installable RPM-package either has signature or otherwise the packager or developer has done something wrong.

Included GPG-signatures have automatically created better security culture in what it comes to manual package installations and upgrades in RPM-based systems. Ordinary people laziness is pre-emptively tackled better.

Just look in my previous post in this talk thread. And there developers are starting somewhat from scratch developing something new and the security is compromised right from the cradle. The deb package there didn't have signatures, neither embedded or separately (at least not yet).

In these maemo.org talk-forums, one can find lots of instructions how to load deb-package directly and install it with dpkg.
I googled those abit:
http://www.google.com/search?q=site%...dpkg+-i%22+deb
And tried a random sample of deb-files. None of them had signatures embedded or offered by side.

Having RPM-packages there instead of those DEB-packages, the probability having authenticity in them would be high (my experience on the developer/user community places where RPM-packages are exported)

You before threw something like 99.99% cases deb-system manages fine although it doesn't have GPG-signatures embedded. It is hard to believe, just looking these maemo.org talk and garage-pages. When apt-get is used, there is no problem as long the deb-package is not then distributed futher without Release.* files.



"Dislike" was maybe a too strong word. I use and partly maintain daily both Fedora (RPM) and Ubuntu (DEB) Linux-hosts/servers. My N900 has DEB-based system, and I appreciate a lot that Debian has those ported ARM-repositories for many cool programs easily accessible. I like the more "leeding edge" culture Fedora has although it sometimes affects some "bleeding" also, but I like Ubuntu too because it does have some programs packaged which Fedora does not have without repackaging currently.

I remember talking about this 7 years ago first time with Debian activists, that they should embed GPG-signatures in the packages also and not just to the list of packages on the repository (Release.gpg). I see same practical security problems today, what were already then. Then they were sure the coming signing of DSC-files would solve the remaining problems which they agreed then also. Well... signatures should be embedded in the packages still, just because people use them "wrong" sometimes after the apt-get.

Even if one wouldn't see any difference in trust levels of RPM and DEB, and technically higher level package-managers DO provide the same features, one should appreciate LSB's decisions and recommendations. I do not currently see any other reason for Debian not to transit from DEB-system to RPM-system but stubborness. In LSB-wise, alien restricts alot, and LSB has been forced to restrict features from modern RPM because of that to LSB-RPM-format.

Game and many other commercial developers still see Linux-system as too shattered and diversed platform.

The importance of wide standards should be understood by Linux-developers everywhere. (LSB, opendesktop.org, Linux Foundation) Without some pain, compromises, there is no gain.

Re: Fedora based MeeGo = NoGo!
 

I frankly have a headache after reading through this technical discussion. I would like to understand nonetheless. What is the security threat to my computer if only install application from the official Debian repos ? What is the purpose of signing package then ? Is that not something useful only to third party developers and/or when there is no official repo ? All this to say I really don't see the point of a "GPG-signature like feature" for a distro like Debian (and will gladly plaid my ignorance on the subject).

@zimon

Is there an example of a major distro switching from deb to rpm ?

Re: Fedora based MeeGo = NoGo!
 

Close to nil, if apt-tools are used.
If you download deb-package with firefox, MicroB, wget, or with lynx/lftp/ncftp, and then install it with dpkg, then all bets are off, because there may be a MITM-attack on you and you really do not get the deb package from the official repository after all although it seems so. You have no way to check the authenticity of that unsigned deb-file, so it can be a Trojan horse which you will install.


Not recomended to do this
http://www.google.com/search?q=site%...dpkg+-i%22+deb

That is, when you have unsigned package, you should not offer it futher, or install or extract unsigned package straight with wget + dpkg -i

The talk.maemo.org is full of instructions though to install unsigned packages just by downloading them and with dpkg.

That's why current "de-facto" DEB-security policy is unefficient, as it has been for years.

Don't remember. I do know, all LSB founding members had to make lots of changes and compromises as none of them were LSB-compliant themselves then. Well they still do and will do compromises and sometimes difficult decisions.
http://www.linuxfoundation.org/about/members

Re: Fedora based MeeGo = NoGo!
 

Zimon, sorry, we won't agree on this one. You dislike certain policies and developers (not) adhering to them, and that's ok. But that still has nothing to do with the package format, none of the things you described have. You could just well be notifying deb maintainers to sign packages, warn people about not installing random unsigned packages, change apt defaults, etc. It's like saying BMW cars are safety hazards because you saw one speeding last week. Changing the make of the car won't automatically make the driver more safety conscious.

Re: Fedora based MeeGo = NoGo!
 

Without changing the package format, Debian could fix this security problem by embedding GPG signature with debsigs to all packages it provides from its repositories. (Like Fedora does) People, like it is shown here in talk.maemo.org, will download packages with different tools skipping over the important authenticy check apt-tools would do.

http://packages.debian.org/sid/devel/debsigs
http://manpages.ubuntu.com/manpages/...ebsigs.1p.html

Current dpkg versions, I believe, will check the GPG-signature if it is embedded in DEB-file? dpkg manual page tells there is --no-debsig, so I assume if that option is not used, the embedded GPG signature and the package itself is checked for authenticity like rpm program does unless --nosignature option is given. So user does not have to manually check with debsigs-verify?

Or I am assuming wrong, and dpkg can't handle embedded GPG signatures anyway?

Couldn't find debsigs or debsigs-verify for ARM though, so I am not sure at all if dpkg in N900 will handle embedded GPG-signatures.

Or, then again, Debian could make a world a favour and change to RPM-system so in LSB-RPM modern features could be added not worrying alien won't support them.

Re: Fedora based MeeGo = NoGo!
 

Zimon, please, for the last time - let Debian folks care about Deb(ian). Free and Open Source Software is not about telling *other* people what and how they should use.