Re: Signing Packages.gz

To: Robert Bihlmeyer <robbe@orcus.priv.at>
Cc: debian-devel@lists.debian.org
Subject: Re: Signing Packages.gz
From: Nicolás Lichtmaier <nick@debian.org>
Date: Sun, 2 Apr 2000 21:04:39 -0300
Message-id: <20000402210439.A12547@debian.org>
In-reply-to: <878zywo36y.fsf@hoss.orcus.priv.at>; from robbe@orcus.priv.at on Sun, Apr 02, 2000 at 06:52:37PM +0200
References: <20000324124741.F30466@foursquare.net> <874s9u7lnk.fsf@hoss.orcus.priv.at> <20000326090034.E9092@azure.humbug.org.au> <20000326160220.C454@ulysses.dhis.net> <20000327083710.A30185@azure.humbug.org.au> <87wvmoyawk.fsf@hoss.orcus.priv.at> <20000328003108.A7874@azure.humbug.org.au> <878zywo36y.fsf@hoss.orcus.priv.at>

> I partly concur. Even if the developer->user channel was completely
> secured by signatures et al, we would still have the problem of an
> attacker gaining very much by breaking into a single developer's
> machine. You're netbase package is a good example: it contains a
> couple of programs usually started as root. If your developing machine
> is compromised, and your copy of the source modified, the evil guy may
> gain entry into a large number of Debian boxen.

 All packages can run things as root. Even the most simple game.

Reply to:

Follow-Ups:
- Re: Signing Packages.gz
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>

References:
- Re: Signing Packages.gz
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>

Prev by Date: Re: Pgcc in Deb
Next by Date: Re: END Key in Emacs (only in Xterm)
Previous by thread: Re: Signing Packages.gz
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread