[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Fri, 9 Mar 2001, Ben Collins wrote:

> Then make apt pass --force-noverify (or whatever it is). However, when
> doing .deb install on the command line without apt (*gasp* not using

The point is that the patch doesn't have a --force-noverify :P

Ideally, this would be controllable per-deb somehow, that would be best
IMHO. Some APT sources may not have release signatures, so it would make
sense to let dpkg look at deb signatures.

> apt) there is no security. Also, just because APT checks the sig of the
> Release file, does not mean that it is unwanted to check the deb
> signatures too. The two compliment each other, IMO.

As I said, people who sit down and carefully construct a policy file that
enforces stricter checking of maintainer signatures can reap a benifit.
But those people are the minority (if they even exist).

I see the deb signature stuff as providing potentially very high security,
but the user has to be vigilant and maintain a very strict and complete

I see release signatures as providing good and mostly effortless security
to pretty much everyone. 

The dpkg patch worries me because it appears to provide effortless
security when that is not at all the case. It also seems to miss features
which I think are key to making deb signatures worthwhile.

It does not provide any means to pass deeper data into the sig checker..

wget http://security.debian.org/.../foo.deb
dpkg -i --security=security-team foo.deb

Which I feel is crucial.

It does not show which signatures are present signing dates, etc, which
may very well allow 'obsolete package' attacks to slip past.

Probably more little things like that.. 


Reply to: