Re: Packages that download/install unsecured files
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christoph Anton Mitterer schrieb:
> By the way,.. a similar problem is also present in many other packages.
> Let me just name a few concrete examples so that you get a feeling on
> what I mean.
>
>
>
> 1) debootstrap/cdebootstrap
> IIRC, only cdeboostrap requires a keyring per default (or did it always
> use debian-archive-keyring?)
> Anyway,... while deboostrap supports verifying signatures and specifying
> a keyring,.. it doesn't to so per default.
> Neither does it fail if just nothing is specified (it should only work
> with verification, if some special parameter e.g. --dont-verify-sigs is
> given).
> I've filed a bug for this some time ago,... (and unfortunately a 2nd one
> recently) but it does not seem that upstream is willing to change this
> behaviour.
>
>
> 2) pbuilder and piuparts (and probably the debian buildd's, too) create
> chroots to build the packages, and I think they're using one of the
> aboves for this.
> Per default they're not configured to use them (well at least
> debootstrap) with signatures.
> => Building packages may lead to installation and execution of malicious
> packages.
>
> I've filed bugs for at least pbuilder and piuparts.
>
>
> 3) aptitude
> Well I'm not sure here as I haven't had the time to read the code.
> For some actions (install/upgrade/dist-upgrade) it uses secure-apt as it
> simply uses apt-get (IIRC).
>
> But what about actions not provided by apt-get, like aptitude download
> <package>.
> So far I was not able to find out whether this uses secure apt or not.
>
>
> 4) apt-file (which I like very much)
> The Contents files are not yet signed AFAIK,.. and thus it cannot do any
> verification.
There are so many scenarios where we are not able to verify any
signatures (upstream does not provide any kind of verification) or where
it is non-sens.
If we are so pedantic about this topic, we should also ask ourself, if
packages like wget, curl, ncftp, ftp etc fullfil the security requirements.
We can not secure *everything*, but the most important parts, which
Debian itself controls.
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: pmatthaei@debian.org
patrick@linux-dev.org
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkq5JD0ACgkQ2XA5inpabMfJYQCfba6GxGaOkzct0yN9iRvU/f6j
4nIAnAtayYfmdpYWgF9EZX/zE2J+8fHf
=35fe
-----END PGP SIGNATURE-----
Reply to: