[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security (was: Re: my platform for Debian Project Leader)



On Wed, Feb 21, 2001 at 10:54:38PM +0100, Christian Hammers wrote:
> You forgot to tell about security. More and more people are concerned about
> trojans in automatically downloaded packages. I know that there's no really
> good solution as in the end it is all software from different authors but
> we must at least do a bit more for security. Proposals are e.g.
> * APT could automatically check signatures on downloaded sources
> * APT could automatically check signatures on packages which the maintainer
>   has self builded.
> * A task force could check the diffs and md5sum check the .orig.tar.gz's for
>   malicious code - yeah, I know it's easy to hide but we normally don't have
>   that much source code changes outside the /debian dir.
> * something. At least make the users aware how much or less the security they
>   get from RedHats signed packages really is for them. 
> * More more people for the security fix team. 

As Ben Collins pointed out, most of this is already underway.  I was aware
of it because John Goerzen has been working on it, and John and I work for
the same company, and were officemates at the time he wrote his white paper
on package signatures.

Aside from seeing if we can swell the ranks of the security team, I think
your other concerns are being addressed by some hardworking people already.
I'm inclined to give them some time to bring their work to fruition before
I indentify it in my platform as an issue that is being inadequately
addressed.

-- 
G. Branden Robinson             |   Men use thought only to justify their
Debian GNU/Linux                |   wrong doings, and speech only to conceal
branden@debian.org              |   their thoughts.
http://www.debian.org/~branden/ |   -- Voltaire

Attachment: pgpLwiEXhpYgg.pgp
Description: PGP signature


Reply to: