Re: Re: Apt-get is insecure
There is a list of "official mirrors" available at:
http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on
listed on this page significantly increases your odds of
downloading an unofficial package (IE: Trojan Horse...)
Regards,
Phil
> On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> >
> > There is a seperate plan for verifying signatures using
apt. From
> > memory this goes as follows:
> >
> > * deb packages are installed in the archive
> > * the MD5 checksum for each package is listed in the
Packages file
> > * the MD5 checksum for each Packages file for a release
is listed in
> > the Release file
> > * the archive creates a signature for the Release file
that apt can
> > verify
> >
> Hi,
>
> Forgive me if my question is rather naive. I have
the following
> scenario and am curious to know whethere this has already
been addressed :
>
> 1. Mr. Cracker sets up a mirror and claims it is a
mirror for Debian
> distros.
> 2. Mr. Cracker recompiles trojaned packages and
recomputes the MD5
> checksums for them. These trojaned .debs are placed on
the mirror.
>
> How would a person getting .debs from this mirror
be able to
> protect him/herself from such a situation? Would they
have to exclusively
> get .debs from the Debian site itself?
>
> Note that if the packages are PGP / GPG signed, the
problem is
> only a little less acute. Mr. Cracker could sign the
package with his /
> her key. How would a user know that Mr. Cracker is not
infact the
> maintainer?
>
> Regards,
> Jor-el
>
>
> --
> To UNSUBSCRIBE, email to debian-security-
request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: