ppatool

Does not ask user to trust third party

Bug #374594 reported by Martin Owens
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ppatool
Confirmed
High
Mathieu Comandon

Bug Description

The ppatool currently adds without question the signed key for the third party ppa without even asking the user if they trust the person.

This may require a second tool, trusttool which is able to gather information about a key and display to the user all the information and return true of false.

Which ever the way, we can not simply add trusted keys to the system, it makes a mockery of the security.

Revision history for this message
Mathieu Comandon (strycore) wrote :

I'm not sure about this one.
Ideally I would like a script that does the job without asking any questions, so the ppatool assumes that when a user adds a ppa, he trusts it as well.
Also this is a tool only for ppa used on launchpad.net which I assume are a bit more secure than a repository hosted on some random website. (But maybe I shouldn't make this assumption)
Maybe there are security risks that I'm not aware of.
Which information concerning the key would be revelant to show to the user in order to trust the ppa ?

Changed in ppatool:
assignee: nobody → Mathieu Comandon (strycore)
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Martin Owens (doctormo) wrote :

I think it's fair to show at least the full real name, email address and trusted rating for this key (you know our keys have a rating based on a web of trust right?), well pick someone like Jono Bacon or Ben Mako Hill, they both have a big web of trust.

Once you display that info and a 'Do you trust this user with your computer? y/N' message, that should be fair.

Otherwise you _will_ get nefarious PPA packages at some point (even in launchpad) and we want to do things from the start. It might also be worth displaying if they've signed the CoC and how much Karma they have.

Revision history for this message
Mathieu Comandon (strycore) wrote :

I was not aware about this web of trust, and I've not succeeded in retrieving these key ratings. Is this about the keys being signed by other people ?

The usual method for adding a key does not show any of the information you suggest (by typing gpg --keyserver keyserver.ubuntu.com --recv 0D63C650 && gpg --export --armor 0D63C650 | sudo apt-key add - ), so i suppose you want some added security that the default procedure does not provide.

I'm just getting familiar with GnuPG and I don't know how to retrieve more information that would help the user to trust the PPA or not.

Revision history for this message
Martin Owens (doctormo) wrote :

The add key command line is a construct which was created to allow people who had checked a key's trust online or through some other tool to be able to add a key. It's not supposed to be the whole system of key management.

A very important part is making sure that the user trusts _this person_ who owns that key. We can't go running around assuming that they do, not even warning them.

`gpglist 170EBB2F` gives me useful information about who has signed my trusted key, information worth knowing as you can score a key that way.

You'll notice on my key I have a number of trusted parties and a photo id (which includes a jpeg of what I look like) all useful informations. But on Launchpad we have more information, users location, karma, photo, and other useful things which can be used to just confirm that the person is who they say they are.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.