Re: leaks in our only-signed-software fortress
* Christoph Anton Mitterer <calestyo@scientia.net>, 2012-02-18, 06:09:
I've decided that I think it's important to CC this d-d:
Debian has a good system of securing packages and making sure that only
signed stuff comes to the user.
Over time I've seen many holes in this:
- packages that are just wrapper packages, download something from
somewhere without doing any hashsum checks at all
Some firmware packages, some font packages, documentation etc. is/was
like that.
- packages that eventually run some code which was downloaded
unsecured.
debootstrap used to be like that, pbuilder, and some others
All(/most?) of those would be RC bugs.
I'll add to the list:
- Packages that download and run untrusted code at build time.
- Some packages load and process content that could be secured but
(is/was) not.
IIRC the Contents Files are not signed and therefore e.g. apt-file
cannot secure this.
FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn't
verify the signature. But why is that a big deal?
Of those who actually DID checks, there were several that used weak
checks (even though there was no need to),... e.g. things like MD5
checks instead of something "better".
For many of those I've reported bugs (and I'm sure I didn't found a lot
of them, and I'm further sure that new cases were introduced).
Some where closed, some where just ignored or denied.
Could you point us to those which were ignored or denied?
--
Jakub Wilk
Reply to: