Re: leaks in our only-signed-software fortress

To: debian-devel@lists.debian.org
Subject: Re: leaks in our only-signed-software fortress
From: Jakub Wilk <jwilk@debian.org>
Date: Sat, 18 Feb 2012 15:47:54 +0100
Message-id: <[🔎] 20120218144754.GA6942@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1ef6a4f196a3cdd6cab0b5940cbf4da5@scientia.net>
References: <[🔎] 0763775752c72b696283491568e04907@scientia.net> <[🔎] 20120218113214.GA2013@jwilk.net> <[🔎] 1ef6a4f196a3cdd6cab0b5940cbf4da5@scientia.net>

* Christoph Anton Mitterer <calestyo@scientia.net>, 2012-02-18, 16:19:

Take the non-free flash as example... (yeah I know it's non-free andnot officially sec-supported)..Even if it would use some SHA512 sums (hardcoded into the package) toverify the download (I don't know whether it does),.. the updatemechanism is still outsite of the package management system (on hasto call update-flash or something like that)... so you bypass thewhole central point of update management.

Completely agreed! We should remove flashplugin-nonfree from thearchive. Or wait, even simpler, you could just not install it.

FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn'tverify the signature.
See #515942.

You can easily check yourself that Contents-* checksums are mentioned inthe Release files, even for lenny. (Though indeed they weren't in Feb2009.)


Feel free to unarchive and reopen the bug.

--
Jakub Wilk

Reply to:

References:
- leaks in our only-signed-software fortress
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: leaks in our only-signed-software fortress
  - From: Jakub Wilk <jwilk@debian.org>
- Re: leaks in our only-signed-software fortress
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: leaks in our only-signed-software fortress
Next by Date: Re: Teams in changelog trailers
Previous by thread: Re: leaks in our only-signed-software fortress
Next by thread: Re: leaks in our only-signed-software fortress
Index(es):
- Date
- Thread