On Wed, Apr 08, 1998 at 08:50:56PM +0100, Enrique Zanardi wrote: > On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote: > > Can someone hack dinstall to install packages which are not PGP signed > > but has been copied to incoming? If the UID of the files is the one of a > > developer we can know who did upload the package. > > No. We know which account the uploader used. (Even that is not true. The > uploader may have changed the UID if he obtained root privileges, but > then he can bypass dinstall). And what about packages uploaded to chiar > or erlangen? > > We should be talking about improving our security instead (by signing the > packages, and not the .changes file). One of these days we will find > trojan horses in Debian packages at compromised mirror sites, and will > have to hear all that "But, RPM packages are PGPsigned..." stuff again > and again. > Signing changes files are enough because of the md5sums contained in the changed and md5 are an algorithm of mostly the same strength as the one used by pgp for signing up (only the ID are better encrypt), pratically speaking. For better checkup, check for dpkg-cert... I think it also check for the integrity of the files in the systems. So to speak, it was really to find a file that have the same md5 sums than an other one, to find one that's represent something is frankly harder, and to find one that can also do real harms is like finding a neutrinos: something that it's easier to think is an error that it's true. -- ------------------------------------------------------------------------ Fabien Ninoles Running Debian/GNU Linux E-mail: fab@tzone.org WebPage: http://www.callisto.si.usherb.ca/~94246757 WorkStation [available when connected!]: http://nightbird.tzone.org/ RSA PGP KEY [E3723845]: 1C C1 4F A6 EE E5 4D 99 4F 80 2D 2D 1F 85 C1 70 ------------------------------------------------------------------------
Attachment:
pgpydfhqKVUW0.pgp
Description: PGP signature