[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

signature checking in libcupt (Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?))

Hi Kristian,

To one of your side questions,

On 24.10.2016 02:33, Kristian Erik Hermansen wrote:
>> 1) Checking chain (e.g. gpgv and its callers) have bugs. True, same as checking layer for secure transports also have bugs.
> Agreed. Please let me know of a good test case to validate that your
> tools, which are not APT (?), are doing the right things. You said you
> maintained a tool which "downloads and validates Debian archives in a
> similar way APT does", which means not exactly the way APT does. Let
> me know the name of your tool and how to setup some test cases to
> validate your tool is doing things properly. Glad to spend some time
> on it and contribute any potential findings for the community benefit.

The tool I maintain is minor, not widely used package manager, which may or may not be worth your time. It's called
Cupt, the sources are at [1a] or [1b]; namely, the checking code at [2] and tests for common situations at [3]. One can
play with those test cases, or install the tool and point it [4] to malicious servers.

There might be other packages in Debian which access repos not through libapt.

[1a] https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=cupt/cupt.git;a=tree
[1b] https://github.com/jackyf/cupt
[2] cpp/lib/src/internal/cachefiles.cpp:verifySignature()
[3] test/t/query/repo-signatures/*
[4] same as APT, via /etc/apt/sources.list

Reply to: