RE: Apt-get is insecure
Any PGPG keys used by package maintainers will themselves be signed and
trusted by the Debian official community. What a "secure apt" must do is
alert if the key used is not so trusted, even if it uses the same name
and email address as it "should".
This assumes that the crackers PGPG key has, somehow, made it onto your
keyring where only your friends and the Debian maintainers aught to be
anyway.
Curt-
-----Original Message-----
From: Jor-el [mailto:jorel@trillian.megadodo.umb]
Sent: Friday, December 14, 2001 09:05
To: debian-security@lists.debian.org
Subject: Re: Apt-get is insecure
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
> the Release file
> * the archive creates a signature for the Release file that apt can
> verify
>
Hi,
Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed
:
1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian
distros.
2. Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.
How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to
exclusively
get .debs from the Debian site itself?
Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the
maintainer?
Regards,
Jor-el
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: