Re: Packages that download/install unsecured files
On Tue, 2009-09-22 at 21:23 +0200, Patrick Matthäi wrote:
> There are so many scenarios where we are not able to verify any
> signatures (upstream does not provide any kind of verification) or where
> it is non-sens.
>
> If we are so pedantic about this topic, we should also ask ourself, if
> packages like wget, curl, ncftp, ftp etc fullfil the security requirements.
>
> We can not secure *everything*, but the most important parts, which
> Debian itself controls.
Of course not,.. but we can try to close as many "holes" as possible,..
especially when it's fairly easy to close them.
Regarding the pubilder/boostrap/similar stuff,.. I'd actually say that
it's quite critical if this is non secured.
I must admit, that I don't know where the debian build severs get their
packages for the build-envs from, but I assume also from some other ftp
server?!
If so,.. and if Mr. Evil sits in the middle of that line (and if no
verification is done),.. he can do basically everything (and it will
most likely hit ALL users of Debian (that install that built packages).
And IMHO the same is true for anybody who does local builds or
bootstrapping using one of the above tools (if it does not do
verification).
In all doing respect, being pedantic with security isn't a flaw, IMHO.
Of course there are borders where the effort gets so high, that it isn't
worth it, but still, one should always try to improve security as much
as possible. :-)
Best wishes,
Chris.
Reply to: