Re: leaks in our only-signed-software fortress

To: <debian-devel@lists.debian.org>
Subject: Re: leaks in our only-signed-software fortress
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Sat, 18 Feb 2012 16:25:20 +0200
Message-id: <[🔎] 0a9d69dc96c647151114bca2d8ebbdf9@scientia.net>
In-reply-to: <[🔎] 20120218124038.1b556a707dca170534699031@debian.org>
References: <[🔎] 0763775752c72b696283491568e04907@scientia.net> <[🔎] 201202181148.31883.thomas@koch.ro> <[🔎] 20120218124038.1b556a707dca170534699031@debian.org>

Am 18.02.2012 14:40, schrieb Neil Williams:

I think as a start it should be made a policy that any "wrapper"package thatdownloads code from the net must at least do a strong checksum checkon the
downloaded code.
Not possible to enforce as a 'MUST' because, by definition,third-party
websites will not provide checksums for every possible download
mechanism.

Well it's still possible then,... the maintainer can just calculatesums on his own.Of course this does not mean things are secure (the maintainer couldalready use a forged version)... but at least it helps again single MITMattacks.



Cheers,
Chris.

Reply to:

Follow-Ups:
- Re: leaks in our only-signed-software fortress
  - From: Neil Williams <codehelp@debian.org>

References:
- leaks in our only-signed-software fortress
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: leaks in our only-signed-software fortress
  - From: Thomas Koch <thomas@koch.ro>
- Re: leaks in our only-signed-software fortress
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: leaks in our only-signed-software fortress
Next by Date: Re: leaks in our only-signed-software fortress
Previous by thread: Re: leaks in our only-signed-software fortress
Next by thread: Re: leaks in our only-signed-software fortress
Index(es):
- Date
- Thread