Re: improving downloader packages (was: Re: holes in secure apt)
* Christoph Anton Mitterer <calestyo@scientia.net>, 2014-06-16, 19:50:
Thomas mentioned that things would have been more secure if the buildds
and e.g. pbuilder pulls in debian-keyring automatically and verify
maintainer signatures.
debian-keyring is not useful for automatic authentication of source
packages. The source package could have been signed years ago by a
person who is no longer a DD. Or signed with a key that has been just
replaced with another one. Or signed with a key that's not yet shipped
in the package.
Incidentally, this is how I discovered this bug. A friend of mine (hi,
Marcin!) wondered how he can authenticate a source package that was
signed by a key that is not included in debian-keyring. I ensured him
that there's nothing to worry about, as apt takes care of this, but he
remained skeptical[0]. So I started playing with mitmproxy...
[0] And his skepticism was reinforced by (independent) discovery of this
bug: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1098738
--
Jakub Wilk
Reply to: