[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security (was: Re: my platform for Debian Project Leader)



On Wed, Feb 21, 2001 at 10:54:38PM +0100, Christian Hammers wrote:
> On Tue, Feb 20, 2001 at 10:24:03PM -0500, Branden Robinson wrote:
> > The purpose of this message is to outline the reasons I running for Debian
> > Project Leader, and to present an idea of some specific things I would like
> > to accomplish during my term, if elected.
> You forgot to tell about security. More and more people are concerned about
> trojans in automatically downloaded packages. I know that there's no really
> good solution as in the end it is all software from different authors but
> we must at least do a bit more for security. Proposals are e.g.
> * APT could automatically check signatures on downloaded sources
> * APT could automatically check signatures on packages which the maintainer
>   has self builded.
> * A task force could check the diffs and md5sum check the .orig.tar.gz's for
>   malicious code - yeah, I know it's easy to hide but we normally don't have
>   that much source code changes outside the /debian dir.
> * something. At least make the users aware how much or less the security they
>   get from RedHats signed packages really is for them. 
> * More more people for the security fix team. 

Check out debsigs and debsigs-verify (the latter being on non-US). John
Goerzen and I are working on package signing. IIRC, Jason and Anthony
were working on a signed index of md5sums for the archive in addition to
this.

The only thing it is waiting for is integration with our current tools,
and policy to back it up.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Reply to: