At the request of Dominic Steinitz, I'll outline the threats that I think this proposal protects against.
The signing of packages prevents a number of attacks between the packager and the server:
1) Accidentally or purposely hijacking a package that is signed by (belongs to) someone else.
2) Uploading a malicious package to replace someone else's good package.
3) Man-in-the-middle attcks between the packager and Hackage.
Checking signatures on the client side prevents:
1) Man-in-the-middle attcks between hackage and the client
2) Automatic installation of anonymous malicious packages
Building a trusted network of keys prevents:
1) Someone creating a key pretending to be someone else
2) Unchecked anonymous uploads (running arbitrary code from an unknown source)
One question that comes up is: how does the so-called "web of trust" help out with this situation? The signing of keys ties the identity of an individual (via their state-issued identification) to a particular key. Now if someone attempts one of the above attacks, after being "trusted" we know who they are in real life. So it's not really a "web of trust" but more like a "web of identity". We will need to put procedures in place for handling a variety of situations, like loss of trust, etc.
This proposal doesn't cover all of that, but it puts a bit of structure into place to raise the bar for an attacker sufficiently high in my opinion, and gives the end-users the tools they need to be as paranoid as they care to be.
peace,
isaac Isaac,
Thanks for doing this. It clarifies what we are protecting against and in my opinion is a pretty good solution. 1. How do we handle key management? For example, if I lose my key or someone hacks into my machine and steals my key. How do we revoke the key? If the package only accepts updates from a keyholder and the key is revoked, how do we issue a new key and allow the package to accept updates from the new keyholder? 2. How do I get a trusted key given I am not likely to meet anybody "trusted" in the near future? Registration is often a weak point in security schemes. 3. What constitutes a "trusted" key? Is it, if it signed by two people on the library mailing list? Dominic.