Re: Makeing Debian more secure - sign binaries with elfsign?
On Mon, May 03, 2004 at 01:49:01AM +0200, Andreas Kotes wrote:
> Heya,
>
> * Andrew Pollock <apollock@debian.org> [20040503 01:36]:
> > On Fri, Apr 30, 2004 at 03:25:59PM +0200, Andreas Kotes wrote:
> > > What do you think? Signed binaries instead of tools like tripwire or
> > > aide et all?
> >
> > Sounds interesting. How does elfsign go with prelinking?
>
> I've got no idea, and no experience with prelinking. Perhaps you want to
> try?
Heh, I don't know much more, just that prelinking busts the checksum of a
binary. I've had a quick look at the licence, and I think it's currently
unsuitable as DFSG-free, but I just dropped the upstream maintainer an email
asking him if he'd like to relicense it (the GPL would serve the same
purpose as his current licence I think).
I'm not sure how elfsign would work in Debian's build environment. It would
make sense to have source-only uploads, and the buildds sign the binaries as
part of the build process. It's a shame it's using X509 certificates instead
of PGP/GnuPG.
regards
Andrew
Reply to: