[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does Debian need to enforce a better Security policy for packages?

On 22/10/01, Javier Fernández-Sanguino Peña wrote:
> 	I am looking into the security policies outlined for package
> building, in order to include some notes regarding them in the section
> "How does Debian handle security" in the "Securing Debian Manual" 
> (http://www.debian.org/doc/ddp)

What does security policies for building a debian package exactly have
to do with securing a debian box? System administrator reading this
document will be interested in tips and howtos on improving the security
on the boxes, that he administrates. He's certainly not interested in
knowing how to securely build a debian package.

> 	For example, I have been recently asked if a maintainer can do
> whatever he wishes in a package. Can he? Sure, we have policies, but what
> if we have a debian developer distributing a trojan in a package. IMHO

That will soon be discovered and I would say those maintainer is facing
definetely problems. 

> lintian does check many issues regarding policy, but it does not test
> potential security problems.

Which is correct, since lintian is only written for checking policy
compliance. If you want a tool checking for security problems, you
should write another new tool for this purpose.

> 	I just made an empty package with dh_make with only a postinst
> having 'rm -rf /'. Lintian says:

> $ lintian test-rm*deb
> E: test-rm: description-is-dh_make-template
> E: test-rm: helper-templates-in-copyright
> W: test-rm: readme-debian-is-debmake-template
> W: test-rm: unknown-section unknown

> 	So. Since we do not source code audits of incoming packages and
> this kind of issues are not detected automatically... does this leave
> the Debian distribution open to attack if a developer box gets hacked
> into? 

No, new packages are not automatically becoming available for everyone
and will be reviewed before. So this doesn't leave the distribution open
for that kind of attacks you imagine.

> Should we improve lintian in order to yell if some (destructive) action is
> taken upon installation/de-installation? Should we further limit the kind

No, because that's not the purpose of lintian. Write either a new tool
for that purpose or leave it. But be aware that it's very difficult to
detect all kinds of possible attacks or trojans that one could create.

           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgp3WZj5TLZNJ.pgp
Description: PGP signature

Reply to: