Re: Secure apt-get
>>>>> " " == Klaus Reimer <email@example.com> writes:
> Hi, Is there already any feature to run apt-get in a secure
> way? I mean that it installs only TRUSTED packages. I think it
> is possible to hack a system with a man-in-the-middle-attack (I
> am not a hacker, don't know if this is technically
> possible). If I am installing/downloading i.E. joe from
> ftp.debian.org and a hacker between me and this server gives me
> a HACKED package with a postinst changing the root-Password or
> something like that I am doomed. Would be a very nice feature
> if I can give apt-get a parameter so it checks the signatures
> of downloaded packages (I know, currently they don't have
> signatures) and refuses the installation if the signature is
> unknown. A basic set of public keys (debian-keyring) must be
> included in the debian base-package. Is something like that
> already possible (I don't think so, because there are no
> signatures in the packages) or do you think it's a good idea
> for the future? Or was it already discussed?
apt-get's cvs has a ssh method of retrieving files. Of cause you would
need ssh access to a save mirror.
The problem with signing packages is that you can't trust a computer
to do it for obvious reasons (like building/installation of packages
being done as root).
And a person signing packages would hold up uploads for ages.
But you have a point with the man-in-the-middle when downloading
packages. It would be nice to have signed Packages file or a signed
md5sum file. The signature could be weak (meaning done by the computer
when moving stuff into pool) since, unlike on build daemons, not
everyone has root there. This could prevent someone from giving you a
wrong Packages file and thereby faked md5sums and packages. (Provided
you care to check those).
But how likely is a man in the middle attack anyway? Use switches and
strict routing and theres hardly anyone in the middle. The data comes
from your isp to your router to your system. If you don't trust your
router, your fault. If you don't trust your ISP, bad.
If someone realy wants to give you false packages, he can just look
over your shoulder for your root passwd instead of hacking into your
ISP to be man in the middle.
By the way, how do you know that the debian keyring is what it claims
to be? You know some maintainers and signed their keys, so they should
be fine. What about all the other keys in the keyring? Are all keys in
the keyring connected by signatures or are there groups of keys that
don't have any signatures across the groups? If there are groups,
maybe a man in the middle created such a false group. How would you
know. Maybe you could write some code to check the connectivity of the
PS: Just because your paranoid doesn't mean they are not waiting for you outside.