[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Makeing Debian more secure - sign binaries with elfsign?

On Mon, May 03, 2004 at 01:49:01AM +0200, Andreas Kotes wrote:
> Heya,
> 
> * Andrew Pollock <apollock@debian.org> [20040503 01:36]:
> > On Fri, Apr 30, 2004 at 03:25:59PM +0200, Andreas Kotes wrote:
> > > What do you think? Signed binaries instead of tools like tripwire or
> > > aide et all?
> > 
> > Sounds interesting. How does elfsign go with prelinking?
> 
> I've got no idea, and no experience with prelinking. Perhaps you want to
> try?

Heh, I don't know much more, just that prelinking busts the checksum of a
binary. I've had a quick look at the licence, and I think it's currently
unsuitable as DFSG-free, but I just dropped the upstream maintainer an email
asking him if he'd like to relicense it (the GPL would serve the same
purpose as his current licence I think).

I'm not sure how elfsign would work in Debian's build environment. It would
make sense to have source-only uploads, and the buildds sign the binaries as
part of the build process. It's a shame it's using X509 certificates instead
of PGP/GnuPG.

regards

Andrew
Reply to: