Re: PATCH: package verification in dpkg
On Fri, Mar 09, 2001 at 07:57:39PM -0700, Jason Gunthorpe wrote:
> On Fri, 9 Mar 2001, Ben Collins wrote:
> > Then make apt pass --force-noverify (or whatever it is). However, when
> > doing .deb install on the command line without apt (*gasp* not using
> The point is that the patch doesn't have a --force-noverify :P
> Ideally, this would be controllable per-deb somehow, that would be best
> IMHO. Some APT sources may not have release signatures, so it would make
> sense to let dpkg look at deb signatures.
Wichert seems to have added an option now.
> > apt) there is no security. Also, just because APT checks the sig of the
> > Release file, does not mean that it is unwanted to check the deb
> > signatures too. The two compliment each other, IMO.
> As I said, people who sit down and carefully construct a policy file that
> enforces stricter checking of maintainer signatures can reap a benifit.
> But those people are the minority (if they even exist).
> I see the deb signature stuff as providing potentially very high security,
> but the user has to be vigilant and maintain a very strict and complete
The policies are not meant to be written by users, but by distributors
of the packages. IOW, Debian, Progeny, etc.
> I see release signatures as providing good and mostly effortless security
> to pretty much everyone.
Only in certain situations, and that situation is when using apt.
Restricting security to a tool that doesn't allow you to bypass it and
get the same security, is not perfect. Most users will at some point
install a .deb directly, without the user of apt.
> The dpkg patch worries me because it appears to provide effortless
> security when that is not at all the case. It also seems to miss features
> which I think are key to making deb signatures worthwhile.
> It does not provide any means to pass deeper data into the sig checker..
> wget http://security.debian.org/.../foo.deb
> dpkg -i --security=security-team foo.deb
Yes, the debsig-verify tool does allow you to pass deeper data. Have you
looked at the tool at all? No, you can't do this through dpkg, so you
debsig-verify --use-policy security-team
dpkg -i foo.deb
It's not that hard to allow these options to work with dpkg and be
passed down to the verification program.
> It does not show which signatures are present signing dates, etc, which
> may very well allow 'obsolete package' attacks to slip past.
You've spoken of these "obsolete attacks" and yet, you've never given me
an example of one which is actually a security risk. I don't see this as
a problem which signatures need to address.
> Probably more little things like that..
All of those things are possible using the debsig-verify tool directly.
People who want that kind of checking, will want to it this way anyway
(and get all the nifty debug output). Maybe dpkg can also have an option
not to pass -q to debsig-verify, so that all of it's output is seen.
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` firstname.lastname@example.org -- email@example.com -- firstname.lastname@example.org '