Re: security (was: Re: my platform for Debian Project Leader)
On Wed, Feb 21, 2001 at 10:54:38PM +0100, Christian Hammers wrote:
> On Tue, Feb 20, 2001 at 10:24:03PM -0500, Branden Robinson wrote:
> > The purpose of this message is to outline the reasons I running for Debian
> > Project Leader, and to present an idea of some specific things I would like
> > to accomplish during my term, if elected.
> You forgot to tell about security. More and more people are concerned about
> trojans in automatically downloaded packages. I know that there's no really
> good solution as in the end it is all software from different authors but
> we must at least do a bit more for security. Proposals are e.g.
> * APT could automatically check signatures on downloaded sources
> * APT could automatically check signatures on packages which the maintainer
> has self builded.
> * A task force could check the diffs and md5sum check the .orig.tar.gz's for
> malicious code - yeah, I know it's easy to hide but we normally don't have
> that much source code changes outside the /debian dir.
> * something. At least make the users aware how much or less the security they
> get from RedHats signed packages really is for them.
> * More more people for the security fix team.
Check out debsigs and debsigs-verify (the latter being on non-US). John
Goerzen and I are working on package signing. IIRC, Jason and Anthony
were working on a signed index of md5sums for the archive in addition to
The only thing it is waiting for is integration with our current tools,
and policy to back it up.
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` firstname.lastname@example.org -- email@example.com -- firstname.lastname@example.org '