On Tue, 2014-06-17 at 13:39 +0200, Holger Levsen wrote: > > Well I guess the reason for flash is rather the license, isn't it? > no, it's in contrib, because it's a downloader package. Well sure... but flash itself is not in main for it's license... > both torbrowser-launcher as well as flashplugin-nonfree use gpg to verify > securely what they've downloaded. > > so I guess you will need to pick on other examples ;-) And just file bugs when > you find these. torbrowser-launcher seems to use the keys from the upstream developers... basically giving them (who are not DDs) the potential power to install _any_ code in the system of Debian users. It also doesn't seem to protect against downgrading attacks... (see my previous post about that). flashplugin-nonfree seems to use the key of a DD, which is much better, and I guess Bart Mertens regularly uploads new flash players and signs them himself... but still I see now protection against downgrading attacks. And attacker could easily MitM a user with an older (but vulnerable version) which is however correctly signed. Even if the signatures would expire (and Bart Mertens would resign them every few days)... you'd still have a rather large attack window. Not to talk about the practical problem, that users aren't informed any longer about new version (and security updates). That's why I wrote in my previous mail, that usually one should depend on a fixed hash in such downloader packages... doing it with gpg is securely possible, but much more complicated. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature