[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Andreas Metzler <ametzler@downhill.at.eu.org> writes:

> Joey Hess <joeyh@debian.org> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.
> 
> >> How would you avoid it?
> 
> > Make the replacement package really be a different package entirely, of
> > a higher version than the package it purports to replace.
> 
> > I think aj had some more examples along these lines the last time this
> > came up.
> 
> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.
>                    cu andreas

What needs to be checked is what apt/dpkg think the package is against
what the control file says. I think there are already some saveguards
in place against tampering with the package name, version and so on. I
guess I have to compromise a local apt archive and test what happens.

MfG
        Goswin
Reply to: