Re: .deb integrity check

To: debian-devel@lists.debian.org
Subject: Re: .deb integrity check
From: Amos Shapira <amos@gezernet.co.il>
Date: Thu, 10 Jun 1999 08:31:31 +0300
Message-id: <[🔎] 19990610083131V.amos@gezernet.co.il>
In-reply-to: Your message of "Wed, 9 Jun 1999 23:21:56 +0200" <[🔎] 19990609232156.A24276@via.ecp.fr>
References: <[🔎] 19990609232156.A24276@via.ecp.fr>

From: Hugo Haas <hugo@debian.org>
> I have realised that dpkg can't check the package integrity. Somebody could
> crack ftp.debian.org, put a new login package and get tons of passwords.

Even more so - crack to one/some of the numerous mirrors and change
the package there, not as bad as your scenario but still possible.
The point is that master.debian.org isn't the only link on the chain
which can be broken in order to achieve this.

> I think it would be interesting to PGP-sign the md5sums file included in
> the packages with a Debian key and add an option to check this signature.

It should be somehow possible to verify WHICH key should be verified,
and be able to obtain this in an independent way (i.e. if the package
is modified, and the key to be verified is directed to the cracker's
key then your verification wouldn't reveal this, would it?).

Maybe a signature on the Packages file is required as well?

Cheers,

--Amos

--Amos Shapira                  | "Of course Australia was marked for
                                |  glory, for its people had been chosen
amos@gezernet.co.il             |  by the finest judges in England."
                                |                         -- Anonymous

Reply to:

Follow-Ups:
- Re: .deb integrity check
  - From: Joey Hess <joey@kitenet.net>

References:
- .deb integrity check
  - From: Hugo Haas <hugo@debian.org>

Prev by Date: WNPP: cyrus-imapd
Next by Date: Re: .deb integrity check
Previous by thread: .deb integrity check
Next by thread: Re: .deb integrity check
Index(es):
- Date
- Thread