Recent Securityfocus Colum and the Debian HOWTO
Jon, regarding your recent column at your insightful column at
Securityfocus (http://www.securityfocus.com/columnists/48) regarding
package manipulation and troyan insertion. Well, I have been discussing
this issue in Debian for a while and just yesterday (IIRC, but could be
checked at cvs.debian.org) sent a new version of the "Securing Debian
HOWTO" (available at
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)
which does talk about the package signing stuff and Debian's point of
view regarding it. As you say in your column, you currently *can* check
signatures in Debian, but, it's not enabled by default since the
proposed scheme has not yet been decided upon (check the HOWTO for more
information).
BTW, I did write this info *before* reading your column (just in case
you were wondering), as a matter of fact I had the notes for about a
week but had to get some time to write it down :)
In any case, I wanted to comment this info just in case you want to
update your column to add additional info.
Regards
Javier Fernández-Sanguino Peña
Reply to: