Re: AW: dselect / apt-get and packages

To: Debian-Security <debian-security@lists.debian.org>
Subject: Re: AW: dselect / apt-get and packages
From: Matthew Johnson <mjj29@cam.ac.uk>
Date: 08 Jul 2002 23:31:55 +0100
Message-id: <[🔎] 1026167517.1541.18.camel@binford.trinhall.cam.ac.uk>
In-reply-to: <[🔎] ABEKLOAPHGEAANDBAIFFAEJCCHAA.mmweber@ncpro.com>
References: <[🔎] ABEKLOAPHGEAANDBAIFFAEJCCHAA.mmweber@ncpro.com>

On Mon, 2002-07-08 at 22:15, Marcel Weber wrote:
> >
> > Actually, as the system is, it could.  There was an arcticle on
> > this some time
> > ago...
> >
> > Certain parts of the package are signed but there is no automated checking
> > of those signatures AFAIK.
> >
> 
> 
> Well this would not be a big thing, would it? When I take a look at the ftp
> server, there is a .dsc with pgp signatures for each package. So letting
> dselect / aptitude or better dpkg-get doing a check for the key via gpg
> would be no big deal, or am I wrong? As there are many mirrors worldwide,
> that could be hacked or something, it would be a huge security improvement.
> 

The main problem is presumably with trust of the keys. If all the debian
developers / package maintainers had keys signed by a central debian key
- they you still have to trust that debian key. Events like debconf
could certainly be used to check fingerprints and sign keys - but that
still leaves a lot of ppl without an easy way to check. At some point
you have to draw the line though. I think that distributing the public
key with the base install is probably acceptible (if thats been
compromised, then you're in a whole lot of other trouble) - particularly
if you check it against a centralised copy - and make sure its not
different.

This would also make for some interesting varients on package
distribution. If a main mirror just held the gpg signatures, then it
doesn't matter where else you get the packages from (ie random other
servers, peer-to-peer networks, etc) - you could get the (really small
bandwith) sigs from the main site. (on reflection even this isn't
neccessary with authentication from the correct key)

I certainly would feel somewhat better with security related things, if
I knew that this was done.
-- 
Matthew Johnson. <mjj29@cam.ac.uk>

"They that would give up essential liberty for temporary safety
deserve neither liberty nor safety."
-- Benjamin Franklin

PGP Key ID: 0x5BE86FB9
http://www.srcf.ucam.org/~mjj29/

-----BEGIN GEEK CODE BLOCK-----     | Campaign for  _  _|  __
GCS/M d-(--) s: a--(?) C++ P--      | Digital      /  / | |
UL++(++++) L+++ E---- W+++ N++ K-   | Rights!      \_ \_| |
w--- M- PS- PE PGP+++ t+ 5 X- R     | http://uk.eurorights.org/
tv-- b++++ DI D++ G e>++++ h !r y-
------END GEEK CODE BLOCK------

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: AW: dselect / apt-get and packages
  - From: Samuele Giovanni Tonon <samu@linuxasylum.net>

References:
- AW: dselect / apt-get and packages
  - From: "Marcel Weber" <mmweber@ncpro.com>

Prev by Date: AW: dselect / apt-get and packages
Next by Date: Re: dselect / apt-get and packages
Previous by thread: AW: dselect / apt-get and packages
Next by thread: Re: AW: dselect / apt-get and packages
Index(es):
- Date
- Thread