[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:

> > if I were trying to do mirror authentication, I'd ship apt with an
> > official .debian.org public key, and then ask .debian.org whether a
> > the public key presented by a mirror was kosher.  There are other ways
> > of doing it...
> puiblic key? GnuPG or PGP? Or do you mean ssh or what kind of public key
> do you think of? 

Well I actually meant "public key" in the theoretical sense, rather than
specifying an implementation.  I imagine you could use a scheme similar
to the one SSH uses for host verification.

> And what about rootkits that are often used and not widespread but that
> you don't detect really? I think that also such a rootkit is already
> existing.

I said it wasn't perfect.  Detection of some rootkits is better than
none.  I also don't understand what you mean by "often used and not

> > * automatic recognition of changes to the snapshot which correspond to
> >   the installation of packages from /etc/apt/sources.list, possibly
> >   augmented by mirror authentication
> You still failed to describe how you want to do automatic recognition of
> packages.

Well, it seems to me that there are lots of ways of doing this with
security which is at least as good as that of existing systems.  They
vary in elegance, required changes to Debian's infrastructure, and
network utilisation.

When I say security is "at least as good as that of existing systems", I
mean that even if you can't detect intrusions from 
/etc/apt/sources.list, you *can* detect other intrusions.

By the way, I just noticed that in this message,


ajt says that package signatures are "under development".  My proposal
is less than "under development" :)


|> |= -+- |= |>
|  |-  |  |- |\

Peter Eckersley
for techno-leftie inspiration, take a look at

Attachment: pgpQwI5P91Cv6.pgp
Description: PGP signature

Reply to: