Re: Apt-get is insecure
On Thu, 13 Dec 2001, Wichert Akkerman wrote:
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
> the Release file
> * the archive creates a signature for the Release file that apt can
> verify
>
Hi,
Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed :
1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian
distros.
2. Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.
How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to exclusively
get .debs from the Debian site itself?
Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the
maintainer?
Regards,
Jor-el
Reply to: