[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get is insecure

On Thu, 13 Dec 2001, Wichert Akkerman wrote:

> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
>   the Release file
> * the archive creates a signature for the Release file that apt can
>   verify

	Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed :

1.  Mr. Cracker sets up a mirror and claims it is a mirror for Debian
2.  Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.

	How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to exclusively
get .debs from the Debian site itself?

	Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the


Reply to: