Re: CD/DVD do not contain Release.gpg files - secure apt complains

To: debian-release@lists.debian.org, debian-cd@lists.debian.org
Subject: Re: CD/DVD do not contain Release.gpg files - secure apt complains
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 28 Dec 2006 03:15:48 -0800
Message-id: <[🔎] 20061228111548.GR29295@mauritius.dodds.net>
Mail-followup-to: debian-release@lists.debian.org, debian-cd@lists.debian.org
In-reply-to: <[🔎] 20061227224558.GI8862@einval.com>
References: <20061227215359.GA32766@pluto> <[🔎] 20061227224558.GI8862@einval.com>

On Wed, Dec 27, 2006 at 10:45:58PM +0000, Steve McIntyre wrote:
> On Wed, Dec 27, 2006 at 10:53:59PM +0100, Jens Seidel wrote:

> >I noticed that recent DVD images do not contain Release.gpg files so
> >that APT warns all time about insecure packages.

> >An installation using the Debian Installer is probably not affected
> >because of a TrustCDROM setting in /etc/apt/apt.conf.d/00trustcdrom but
> >I use a loop-back mounted copy of a DVD set on my hard disk.

> Yup, it's a known issue. And it's not one that's likely to be fixed,
> and *definitely* not for the weekly builds. The problem is:

>  * apt only trusts a small number of keys
>  * access to those keys is (rightly!) very tightly controlled on
>    one central server (not the CD build server)

> This means no trusted Release files on the CDs/DVDs. To generate them
> will involve either:

>  * adding yet another key to the list that apt trusts, and using that
>    on the CD build server. That's still not ideal for security.

>    or

>  * in the middle of each CD build, pause, copy all the Release files
>    across from the temporary dirs to a central trusted machine, get
>    them all signed and then copy the sigs back. That *might* happen
>    for a full release, but it's definitely not going to happen for
>    the regular builds each day/week! :-)

> Finally, the typical use case for the CDs is to use the installer from
> those CDs. As you're then relying on the apt binary on those same CDs
> to check for keys, it gains you nothing in terms of security to check
> signatures. An attacker could easily trojan that apt to accept
> whatever key they like. Once we make a full release, the checksums of
> the CD and DVD images will be signed so you can verify trust that way.

I highly doubt this would come together now for etch, but wouldn't it make
sense that even for daily/weekly builds, key data be included on the CD
that would be pulled in during the install?  I guess the only benefit would
be suppressing the warning message, at the cost of the key used for that CD
build being trusted on an ongoing basis, making a relatively easy target for
an attacker... so probably not such a good idea after all.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

References:
- Re: CD/DVD do not contain Release.gpg files - secure apt complains
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: please allow ltsp 0.99debian9 into etch
Next by Date: Re: etch: twoftpd 1.21-4
Previous by thread: Re: CD/DVD do not contain Release.gpg files - secure apt complains
Next by thread: please allow ltsp 0.99debian9 into etch
Index(es):
- Date
- Thread