Re: Bug#540215: Introduce dh_checksums
On Mon, Mar 08, 2010 at 05:59:13PM -0500, Joey Hess wrote:
> Russ Allbery wrote:
> > The missing link, in this validation scenario, is how to get a signed copy
> > of the MD5 checksums of the files in the package.
> That's one missing link. The other one is that there are innumerable
> ways for an attacker to inject bad behavior/backdoors onto a system
> without touching binaries originating from dpkg.
Signatures don't prevent bugs, they don't prevent trojans, they don't
prevent attacks on SSH. But they let you *detect* attacks. It's not
that easy to install a root kit that hides all changes and you can
always boot from a trusted medium to check your files. Without
signatures, you can't, or at least it a lot harder.
> Expecting debsums to
> protect against any form of attack is bound to result in a false sense
> of security;
I don't expect that.