[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CD/DVD do not contain Release.gpg files - secure apt complains

[ cc: to debian-release for information, please respect the Reply-To:
  to debian-cd for any further discussion ]

On Wed, Dec 27, 2006 at 10:53:59PM +0100, Jens Seidel wrote:
>I noticed that recent DVD images do not contain Release.gpg files so
>that APT warns all time about insecure packages.
>An installation using the Debian Installer is probably not affected
>because of a TrustCDROM setting in /etc/apt/apt.conf.d/00trustcdrom but
>I use a loop-back mounted copy of a DVD set on my hard disk.

Yup, it's a known issue. And it's not one that's likely to be fixed,
and *definitely* not for the weekly builds. The problem is:

 * apt only trusts a small number of keys
 * access to those keys is (rightly!) very tightly controlled on
   one central server (not the CD build server)

This means no trusted Release files on the CDs/DVDs. To generate them
will involve either:

 * adding yet another key to the list that apt trusts, and using that
   on the CD build server. That's still not ideal for security.

 * in the middle of each CD build, pause, copy all the Release files
   across from the temporary dirs to a central trusted machine, get
   them all signed and then copy the sigs back. That *might* happen
   for a full release, but it's definitely not going to happen for
   the regular builds each day/week! :-)

Finally, the typical use case for the CDs is to use the installer from
those CDs. As you're then relying on the apt binary on those same CDs
to check for keys, it gains you nothing in terms of security to check
signatures. An attacker could easily trojan that apt to accept
whatever key they like. Once we make a full release, the checksums of
the CD and DVD images will be signed so you can verify trust that way.

Security's a hard problem... :-(

Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code 
 is in use on a military site..." -- Simon Booth

Attachment: signature.asc
Description: Digital signature

Reply to: