[ cc: to debian-release for information, please respect the Reply-To: to debian-cd for any further discussion ] On Wed, Dec 27, 2006 at 10:53:59PM +0100, Jens Seidel wrote: >Hi, > >I noticed that recent DVD images do not contain Release.gpg files so >that APT warns all time about insecure packages. > >An installation using the Debian Installer is probably not affected >because of a TrustCDROM setting in /etc/apt/apt.conf.d/00trustcdrom but >I use a loop-back mounted copy of a DVD set on my hard disk. Yup, it's a known issue. And it's not one that's likely to be fixed, and *definitely* not for the weekly builds. The problem is: * apt only trusts a small number of keys * access to those keys is (rightly!) very tightly controlled on one central server (not the CD build server) This means no trusted Release files on the CDs/DVDs. To generate them will involve either: * adding yet another key to the list that apt trusts, and using that on the CD build server. That's still not ideal for security. or * in the middle of each CD build, pause, copy all the Release files across from the temporary dirs to a central trusted machine, get them all signed and then copy the sigs back. That *might* happen for a full release, but it's definitely not going to happen for the regular builds each day/week! :-) Finally, the typical use case for the CDs is to use the installer from those CDs. As you're then relying on the apt binary on those same CDs to check for keys, it gains you nothing in terms of security to check signatures. An attacker could easily trojan that apt to accept whatever key they like. Once we make a full release, the checksums of the CD and DVD images will be signed so you can verify trust that way. Security's a hard problem... :-( -- Steve McIntyre, Cambridge, UK. steve@einval.com "I've only once written 'SQL is my bitch' in a comment. But that code is in use on a military site..." -- Simon Booth
Attachment:
signature.asc
Description: Digital signature