Re: testing group -- please test the documentation
On Fri, 29 Jan 1999, Arto Astala wrote:
> Adam Di Carlo wrote:
> > On Tue, 12 Jan 1999 17:21:37 +0200, Arto Astala <email@example.com> said:
> > > [...]
> > [...]
> > > To protect your system againsta trojan horses and other bogus
> > > software all Debian packages are PGP-signed by developer. Thus you
> > > can (but are not required to) at any time verify that your
> > > packages are originating from the real Debian maintainer. Debian
> > > also takes great care to configure the packages in a secure manner.
> > > Security fixes are generally quickly available for the packages.
> > For one, this isn't true; .debs aren't signed. For two, I don't want
> > to bait crackers.
> There was talk about this quite some time ago, I must have taken wish
> for fact. At least we know that the package came where it should have
> come and it has not been tampered with. Packages file contains MD5sum
> but that is not very secure against tampering, especially when Packages
> has no checksum.
I mentioned this on the devel list earlier this week. All that is
required is to pgp sign the packages file. This could be done in a
separate file to keep backward compatability. The problem is that this
would de-automate the process since someone has to sign the file. Perhaps
we could only sign the stable tree since that may be done by hand and
users expect a little more from that tree anyway. You are correct in that
there are breaks in the path. Debian guarantees developer to master, but
not original to developer or mirror to user. We would simply be fixing
one more bad link in a weak chain though. True end to end authentication
can't be done with debian's model in my opinion, but that's no excuse not
to fix the problems we can.
Thanks for paying attention to my rambling,
| Brandon Mitchell * firstname.lastname@example.org * http://www.resnet.wm.edu/~bhmit1 |
| The above is a completely random sequence of bits, any relation to an |
| actual message is purely accidental. |