[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

On Sat, 18 Feb 2012 12:32:14 +0100
Jakub Wilk <jwilk@debian.org> wrote:

> * Christoph Anton Mitterer <calestyo@scientia.net>, 2012-02-18, 06:09:
> >I've decided that I think it's important to CC this d-d:
> >Debian has a good system of securing packages and making sure that only 
> >signed stuff comes to the user.
> >Over time I've seen many holes in this:
> >- packages that are just wrapper packages, download something from 
> >somewhere without doing any hashsum checks at all
> >Some firmware packages, some font packages, documentation etc. is/was 
> >like that.
> >- packages that eventually run some code which was downloaded 
> >unsecured.
> >debootstrap used to be like that, pbuilder, and some others

Only a bug if this happens by default.

It is perfectly acceptable to support an option to disable SecureApt -
just as long as this is not the default. Tools in Debian need to work
with systems outside Debian and those do not necessarily *need*
SecureApt because the entire loop is internal or even local to the one

> All(/most?) of those would be RC bugs.
> I'll add to the list:
> - Packages that download and run untrusted code at build time.

...if on Debian buildds or by default.

Private buildd's, by a selectable option - not a bug.


Neil Williams

Attachment: pgpuDehfjZftv.pgp
Description: PGP signature

Reply to: