Re: [GNU-linux-libre] Help users to verify their downloads

[Jean Louis]

On Fri, Jun 22, 2018 at 07:05:31PM +0200, Denis 'GNUtoo' Carikli wrote:
> On Wed, 20 Jun 2018 13:17:36 -0400
> Donald Robertson <address@hidden> wrote:
> 
> > Things that aren't really freedom
> > issues, but are important for making sure everyone can get the best
> > out of the program.
> In my opinion it's somehow related as this makes sure the users gets
> the correct binaries, which they can get the corresponding source code
> from the distribution.
> 
> Having the ability for users to check if this is the case (either by
> verifying the signatures or by taking advantage of reproducible builds)
> enables certain users to check if the binaries and the source code
> matches.
> 
> This increase the risk (of being caught) for the people
> secretly modifying the binaries, which increase the
> chance for user not checking the binary they download to get
> non-secretly modified binaries.
> 
> > but I think we could make a much smaller document on the LibrePlanet
> > wiki that could be similarly useful for distro maintainers.
> That would be a very good idea.

In general, placing the hashes along the files is
not enough for security that package is genuine.

Hash would signify only that the expected file
that was checked on the server, by the uploader or
publisher, have arrived on the local computer.

When somebody can change a package on the server,
then they can also change the hash that lie next
to the package that was downloaded.

Hashes thus don't give security that package was
not tampered.

PGP signature along the package would give more
security, but even that is not secure if user does
not understand or know it.

It is possible to upload or publish PGP signatures
for email addresses that do not belong to the
uploader of such PGP signature.

It is possible to create PGP keys without having
control over those email addresses.

And there are so many maintainers of packages.

That means there are so many PGP keys.

If I receive PGP key from the same server, and PGP
signature, and package from same server, then
verification means just nothing.

PGP security works only if the key have been
verified with the trusted party who issued it.

So in order to verify the key, I would need to
call developer, or SMS him, or otherwise use
communication channel that is trusted (even this
is not absolute), and then by exchanging
fingerprints, I would know I have his true PGP
key.

Only thereafter I can use his public PGP key to
verify that package have been signed by his public
PGP key.

So when requesting any security feature for
packages to be placed for downloading, let us not
dwell in some illusions of security.

If users don't know how to verify PGP fingerprints
with the issues of the PGP key, and it is anyway
unlikely that any serious percentage would be
doing so, then we are wasting time by creating
apparent security.

Jean Louis