On Fri, Jul 15, 2005 at 12:55:32AM +0200, J.A. Bezemer wrote: > >On Thu, 14 Jul 2005, Steve McIntyre wrote: >> >> Yes, this is a thorny area. I'm a little concerned - if we've gone to >> all the effort of adding signatures to the main archive, then it does >> seem to be ducking the problem to just trust all CDs. Allowing CDDs >> and redistributors to add new signatures as well should boost the >> security of the whole chain to the end user, too. >> >> Maybe I'm being paranoid, but it wouldn't be too hard to get a lot of >> users to to blindly install bad packages (e.g. from a trojanned cover >> disc). > >Please keep in mind that, if I would trojan some cover disc, it'd be quite >easy to modify/recompile apt (on that same CD!) to blindly trust my trojanned >disc or just everything. Come to think of it, since apt is necessarily run as >root during the install process, it would make an interesting place for the >trojan code itself. > >Bottom line: a CD can never authenticate itself. A CD can only be securely >authenticated by completely external code. As in: provide a downloadable >Windows program that checks CDs prior to any installation action. >(And for really paranoid people: turn off autorun for CDs first.) > >When thinking about security, always think the black-hat way. And remember >that "hard" and "impossible" are two quite different concepts. Of course, yes. But I'm thinking also about further down the line, not just during the initial installation process. Imagine people who already have a Debian or CDD system installed. They already have a secure (ish) apt installed. In that case, it would be nice if their system did not autmoatically trust any new CDs/DVDs loaded... :-) -- Steve McIntyre, Cambridge, UK. email@example.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.
Description: Digital signature