Re: leaks in our only-signed-software fortress

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: leaks in our only-signed-software fortress
From: Thomas Goirand <zigo@debian.org>
Date: Sun, 19 Feb 2012 02:14:35 +0800
Message-id: <[🔎] 4F3FEA8B.50204@debian.org>
In-reply-to: <[🔎] 20120218124038.1b556a707dca170534699031@debian.org>
References: <[🔎] 0763775752c72b696283491568e04907@scientia.net> <[🔎] 201202181148.31883.thomas@koch.ro> <[🔎] 20120218124038.1b556a707dca170534699031@debian.org>

On 02/18/2012 08:40 PM, Neil Williams wrote:
> On Sat, 18 Feb 2012 11:48:27 +0100
> Thomas Koch <thomas@koch.ro> wrote:
>
>   
>> I think as a start it should be made a policy that any "wrapper" package that 
>> downloads code from the net must at least do a strong checksum check on the 
>> downloaded code.
>>     
> Not possible to enforce as a 'MUST' because, by definition, third-party
> websites will not provide checksums for every possible download
> mechanism.
>   

We're trying to mitigate risks of a man-in-the-middle
attack here. Not to authenticate a content, which is
the job of the maintainer. We want to check that the
file is the same one as the one the maintainer downloaded.
Which means that if there isn't a checksum on the
third-party website, a maintainer can just run sha512sum
and save the checksum in his download script (or next to
it) by himself for later runtime check.

So yes, a MUST can happen, IMO.

Thomas

Reply to:

References:
- leaks in our only-signed-software fortress
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: leaks in our only-signed-software fortress
  - From: Thomas Koch <thomas@koch.ro>
- Re: leaks in our only-signed-software fortress
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: leaks in our only-signed-software fortress
Next by Date: Re: leaks in our only-signed-software fortress
Previous by thread: Re: leaks in our only-signed-software fortress
Next by thread: Re: leaks in our only-signed-software fortress
Index(es):
- Date
- Thread