Re: Packages that download/install unsecured files

To: debian-devel@lists.debian.org
Subject: Re: Packages that download/install unsecured files
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Tue, 22 Sep 2009 21:23:41 +0200
Message-id: <[🔎] 4AB9243D.5080905@debian.org>
Reply-to: pmatthaei@debian.org
In-reply-to: <[🔎] 1253646804.5401.23.camel@fermat.scientia.net>
References: <[🔎] 1253215598.9026.57.camel@fermat.scientia.net> <[🔎] 1253646804.5401.23.camel@fermat.scientia.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Anton Mitterer schrieb:
> By the way,.. a similar problem is also present in many other packages.
> Let me just name a few concrete examples so that you get a feeling on
> what I mean.
> 
> 
> 
> 1) debootstrap/cdebootstrap
> IIRC, only cdeboostrap requires a keyring per default (or did it always
> use debian-archive-keyring?)
> Anyway,... while deboostrap supports verifying signatures and specifying
> a keyring,.. it doesn't to so per default.
> Neither does it fail if just nothing is specified (it should only work
> with verification, if some special parameter e.g. --dont-verify-sigs is
> given).
> I've filed a bug for this some time ago,... (and unfortunately a 2nd one
> recently) but it does not seem that upstream is willing to change this
> behaviour.
> 
> 
> 2) pbuilder and piuparts (and probably the debian buildd's, too) create
> chroots to build the packages, and I think they're using one of the
> aboves for this.
> Per default they're not configured to use them (well at least
> debootstrap) with signatures.
> => Building packages may lead to installation and execution of malicious
> packages.
> 
> I've filed bugs for at least pbuilder and piuparts.
> 
> 
> 3) aptitude
> Well I'm not sure here as I haven't had the time to read the code.
> For some actions (install/upgrade/dist-upgrade) it uses secure-apt as it
> simply uses apt-get (IIRC).
> 
> But what about actions not provided by apt-get, like aptitude download
> <package>.
> So far I was not able to find out whether this uses secure apt or not.
> 
> 
> 4) apt-file (which I like very much)
> The Contents files are not yet signed AFAIK,.. and thus it cannot do any
> verification.

There are so many scenarios where we are not able to verify any
signatures (upstream does not provide any kind of verification) or where
it is non-sens.

If we are so pedantic about this topic, we should also ask ourself, if
packages like wget, curl, ncftp, ftp etc fullfil the security requirements.

We can not secure *everything*, but the most important parts, which
Debian itself controls.

- --
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkq5JD0ACgkQ2XA5inpabMfJYQCfba6GxGaOkzct0yN9iRvU/f6j
4nIAnAtayYfmdpYWgF9EZX/zE2J+8fHf
=35fe
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Packages that download/install unsecured files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Packages that download/install unsecured files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Packages that download/install unsecured files
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: Packages that download/install unsecured files
Next by Date: Re: Packages that download/install unsecured files
Previous by thread: Re: Packages that download/install unsecured files
Next by thread: Re: Packages that download/install unsecured files
Index(es):
- Date
- Thread