Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
On Tuesday 16 December 2003 20:15, Goswin von Brederlow wrote:
--cut--
> > i don't understand your comment above. why is the md5sums file useless
> > and space wasting especially in terms of security? until now, I was of
> > the opinion, that the md5sum gives me the guarantee that a debian package
> > is not penetrated before installation and further - after having the
> > packages installed on a machine - the md5sum files give me the confidence
> > that the debian binaries are correct and consistent.
>
> Any attacker would surely change the md5sums file along with changing
> the actual files. Nothing guards againt the md5sums file getting
> changed intentionally or accidentally.
That's true because everyone could use md5sum to generate the sum of arbitrary
file, but just one person has access to his/her private key to sing with.
> Only the global md5sum in the Packages file says the file got not
> changed since, well, since the Packages file was generated. Since
> nothing checks the Release.gpg signature (wihtout apt-secure
> installed) thats not much more secure either. But you can make sure
> its not changed since ftp-master.debian.org generated the file.
So what is the plan from now on:
1. integrate only apt-secute patch into main apt - to complete the chain of
trust via vendors.list.
2. accept dpkg-sig package recently introduced - to create and verify
signatures on .deb-files
3. do both
Note that implementing just 1. would not suffice since instalations via dpkg
-i will not check the signatures.
--
pub 4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
Reply to: