Re: leaks in our only-signed-software fortress
On Sat, 18 Feb 2012, Philip Hands wrote:
> On Sat, 18 Feb 2012 15:49:30 +0000, Neil Williams <email@example.com> wrote:
> > On Sat, 18 Feb 2012 16:25:20 +0200
> > Christoph Anton Mitterer <firstname.lastname@example.org> wrote:
> > > Am 18.02.2012 14:40, schrieb Neil Williams:
> > > >> I think as a start it should be made a policy that any "wrapper"
> > > >> package that
> > > >> downloads code from the net must at least do a strong checksum check
> > > >> on the
> > > >> downloaded code.
> > > > Not possible to enforce as a 'MUST' because, by definition,
> > > > third-party
> > > > websites will not provide checksums for every possible download
> > > > mechanism.
> > >
> > > Well it's still possible then,... the maintainer can just calculate
> > > sums on his own.
> > Against what? The source is only downloaded from upstream once per
> > upstream release, what is there to check against?
> He's talking about stuff like flash-nonfree (or whatever) where we ship
> a wrapper that wgets the actual tarball for you from the distributor,
> and checks the checksum of whatever it ends up with.
> The maintainer can grab a copy, checksum it (perhaps if paranoid do the
> download from elsewhere on a different day, make sure the checksums
> match), and then sign a package containing the checksum that he
> generated to ensure that everyone that installs the package gets the
> same tarball, or sees an error message.
I believe there are "downloader" packages in Debian that do just that, and
the practice isn't new.
It is far better than nothing, as it effectively shortens the time window
where a trojan can be inserted in the distribution point. That's not even
close to 100% coverage, but it is nothing to sneeze at, either.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot