[lsb-discuss] [Webdevel] Key for signing downloadable printer driver packages
Till Kamppeter
till.kamppeter at gmail.com
Wed Oct 8 11:18:08 PDT 2008
Theodore Tso wrote:
> On Wed, Oct 08, 2008 at 06:55:05PM +0200, Till Kamppeter wrote:
>> I would like to let the OpenPrinting server sign the downloadable
>> printer driver packages so that the distribution's printer setup tools,
>> download tools (like Jockey), and/or packaging systems (rpm, dpkg, yum,
>> apt, ...) can verify that the drivers really come from the OpenPrinting
>> server.
>>
>> Do we already have keys at the Linux Foundation, for example keys which
>> we are using for other downloadable packages, perhaps keys which are
>> already in the distros? Or should we generate new keys for OpenPrinting?
>> How would one then get the new keys into the distros?
>
> I sent a note on a proposed public key hierarchy for the LSB releases;
> extending this to cover OpenPrinting shouldn't be hard. The previous
> LSB keys weren't installed into the distributions, since the distro's
> weren't pulling packages directly from a Linux Foundation server as
> would be the case with the OpenPrinting drivers.
>
> We've been talking rolling a high-level public key every year or two,
> that would be signed by a long-term master key. That means that there
> needs to be a way of downloading new keys periodically. This can be
> done via package dependencies.
>
> In terms of negotiating with the distributions, not all of the
> distributions may be willing to include our key as a trusted key, at
> least not initially. So we may need to have plan where users can
> install a package that updates the key databsae automatically, with
> instructions that walk the user through the procedure. When distro's
> see the value of being able to automatically download drivers,
> hopefully they will change their minds.
>
Only distribution with client software for driver download is Ubuntu
Intrepid now. Fedora has at least download for single PPDs from
OpenPrinting.
As distros want to have high security when it comes to automatically
downloading software from the internet, I think they will accept
including the keys, especially when they already include the client
software.
And Ubuntu Intrepid does not only download printer drivers but also
kernel drivers via Jockey (which AFAIK will also be hosted at the LF).
So I think we should quickly make available appropriate keys so that
they can still go into Intrepid (RC freeze in a week or so).
> Something else to think about --- many customers, both in the
> Financial Services Sector and in the Government/Defense sector, keep
> their machines on networks that do not have access to the outside
> world. So whatever tools Open Printing is designing should ideally
> have a means of dealing with customers that have to manually download
> the drivers, get them approved by the local Site Security Officer, and
> then manually transports the driver into the secure machine room via
> USB key.
Everything can also get looked up and installed manually. Also the
client software (system-config-printer, Jockey) handles the case of not
being connected to the internet gracefully. So our printer drivers can
also be used in such secure environments. PPD files for PostScript
printers will, even if they are also available as packages, always be
available as single PPDs, so that security auditing gets faster for just
a few PostScript printers.
Till
More information about the lsb-discuss
mailing list