Re: Packages that download/install unsecured files
On Thu, 2009-09-17 at 23:02 -0400, Michael S Gilbert wrote:
> checksums are a good start, but if the data itself is non-free (or
> closed or obscured), then how can you be sure it is not malicious?
Of course not at all.... but we should try to secure as much as possible
and close as many holes as possible.
In case of closed source,.. if upstream goes evil,.. we will never be
able to do anything.
Perhaps one should split those source out of non-free, so that:
non-free == non-dfsg compliant, but "open source code".
closed-section == non-dfsg and closed (e.g. Adobe flash).
Of course one could ban such totally closed software completely from
debian,.. but I think this would be a bad idea,.. at least some of them
is quite important (e.g. nvidia) for so many users.
But an own section could be worth it.
If it's not upstream that gets evil, but just some man-in-the-middle
attackt,.. verifying closed source stuff will still improve security, as
I've described in my mail before.
> i think it is a matter of trust, and maybe the key would be that scripts
> should only accept the external data if it is signed and hashed by an
> authenticated DD's gpg key.
Yeah,.. as I've said,.. the signatures/hashes to those files/data/code
should always be under Debian's control,... not just e.g. downloading
(https secured) md5 hashes from Adobe's website,.. and verify them
against the most recent flash version should NOT be done by the package.
This should be done by the Debian maintainer.
Cheers,
Chris.
Reply to: