Re: Secure apt-get

To: debian-devel@lists.debian.org
Subject: Re: Secure apt-get
From: Ingo Saitz <Ingo.Saitz@stud.uni-hannover.de>
Date: Fri, 19 Jan 2001 12:30:40 +0100
Message-id: <[🔎] 20010119123039.A1668@pinguin.subspace.exe>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87itnc1q9f.fsf@mose.informatik.uni-tuebingen.de>; from goswin.brederlow@student.uni-tuebingen.de on Thu, Jan 18, 2001 at 10:53:16PM +0100
References: <[🔎] 01011819481401.00676@neo> <[🔎] 87itnc1q9f.fsf@mose.informatik.uni-tuebingen.de>

I'd first like to say that I'd second the idea of some sort of
signature for debian packages.

On Thu, Jan 18, 2001 at 10:53:16PM +0100, Goswin Brederlow wrote:
> 
> But how likely is a man in the middle attack anyway? Use switches and
> strict routing and theres hardly anyone in the middle. The data comes
> from your isp to your router to your system. If you don't trust your
> router, your fault. If you don't trust your ISP, bad.

How about those routers hacked if they are maintained badly? I
remember seeing some posts about vulnerabilities on bugtraq some
time ago. How about somebody gaining access to a debian mirror or
somebody running a fake mirror? How about somebody else than you
downloading some packages for you?

At least the last point would warrant for a per-package
signature. I know this has to be done by an automated process and
will be much weaker than a sigature created by an individual. And
you would have to document that, too. E.g.: "dpkg --check-sigs:
Verify if the package was installed into the debian-archive by
checking an automatically generated signature"

I wonder how other vendors sign their packages. Do they really
have one person to sign all their packages? Which is no more
secure than using a programm, either, because this person would not
know much about the individual packages.

> By the way, how do you know that the debian keyring is what it claims
> to be? You know some maintainers and signed their keys, so they should
> be fine. What about all the other keys in the keyring? Are all keys in
> the keyring connected by signatures or are there groups of keys that
> don't have any signatures across the groups? If there are groups,
> maybe a man in the middle created such a false group. How would you
> know. Maybe you could write some code to check the connectivity of the
> keyring. :)

The answer is no. Just search the archives for the thread
"graphing the debian keyring" (September 2000) reveals the
following url:

    http://www.chaosreigns.com/debian-keyring/

> PS: Just because your paranoid doesn't mean they are not waiting for you outside.

Hmm. I can't see anybody out there. Maybe they're already in my
apartment? ;)

    Ingo
-- 
16                      Hard coded constant for amount of room allowed for
                        cache align and faster forwarding (tunable)

-- seen in /usr/src/linux-2.2.14/net/TUNABLE

Reply to:

Follow-Ups:
- Re: Secure apt-get
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- Secure apt-get
  - From: Klaus Reimer <kay@debian.org>
- Re: Secure apt-get
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>

Prev by Date: Re: Release-critical Bugreport for January 19, 2001
Next by Date: Re: Release-critical Bugreport for January 19, 2001
Previous by thread: Re: Secure apt-get
Next by thread: Re: Secure apt-get
Index(es):
- Date
- Thread