Re: Revival of the signed debs discussion
Andreas Metzler <firstname.lastname@example.org> writes:
> Joey Hess <email@example.com> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.
> >> How would you avoid it?
> > Make the replacement package really be a different package entirely, of
> > a higher version than the package it purports to replace.
> > I think aj had some more examples along these lines the last time this
> > came up.
> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.
> cu andreas
What needs to be checked is what apt/dpkg think the package is against
what the control file says. I think there are already some saveguards
in place against tampering with the package name, version and so on. I
guess I have to compromise a local apt archive and test what happens.