[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Signing Packages.gz


To my understanding the package process is fairly secure on the incoming
side of Debian's package managment system.  Maintainers sign their uploads
which prevents a man-in-the-middle attack.

These packages are then checksumed in Packages.gz, but nowhere is that
file signed, that I know of.  This opens up the users to an ftp
man-in-the-middle attack during the upgrade process.

The only way a user can currently be sure he has a system from the
code the maintainers use is to compile all the packages himself (I'm
speaking from a truly paranoid security standpoint here :) ), since
the *dsc files are signed.

So my question is, what are your thoughts on adding a signature to the
current Packages.gz file, or adding a similar *dsc file for it,
which is then signed?  Are there any reasons why this hasn't been done yet
besides the obvious "nobody has time"? :-)

Thanks.  Please CC me on replies, since I'm not on the list.
- Chris

"Chase the dream, not the competition."
     - motto of the Nemesis Air Racing Team

Reply to: