Re: CD/DVD do not contain Release.gpg files - secure apt complains
On Wed, Dec 27, 2006 at 10:45:58PM +0000, Steve McIntyre wrote:
> On Wed, Dec 27, 2006 at 10:53:59PM +0100, Jens Seidel wrote:
> >I noticed that recent DVD images do not contain Release.gpg files so
> >that APT warns all time about insecure packages.
> >An installation using the Debian Installer is probably not affected
> >because of a TrustCDROM setting in /etc/apt/apt.conf.d/00trustcdrom but
> >I use a loop-back mounted copy of a DVD set on my hard disk.
> Yup, it's a known issue. And it's not one that's likely to be fixed,
> and *definitely* not for the weekly builds. The problem is:
> * apt only trusts a small number of keys
> * access to those keys is (rightly!) very tightly controlled on
> one central server (not the CD build server)
> This means no trusted Release files on the CDs/DVDs. To generate them
> will involve either:
> * adding yet another key to the list that apt trusts, and using that
> on the CD build server. That's still not ideal for security.
> * in the middle of each CD build, pause, copy all the Release files
> across from the temporary dirs to a central trusted machine, get
> them all signed and then copy the sigs back. That *might* happen
> for a full release, but it's definitely not going to happen for
> the regular builds each day/week! :-)
> Finally, the typical use case for the CDs is to use the installer from
> those CDs. As you're then relying on the apt binary on those same CDs
> to check for keys, it gains you nothing in terms of security to check
> signatures. An attacker could easily trojan that apt to accept
> whatever key they like. Once we make a full release, the checksums of
> the CD and DVD images will be signed so you can verify trust that way.
I highly doubt this would come together now for etch, but wouldn't it make
sense that even for daily/weekly builds, key data be included on the CD
that would be pulled in during the install? I guess the only benefit would
be suppressing the warning message, at the cost of the key used for that CD
build being trusted on an ongoing basis, making a relatively easy target for
an attacker... so probably not such a good idea after all.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.