[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: AW: dselect / apt-get and packages

On Mon, 2002-07-08 at 22:15, Marcel Weber wrote:
> >
> > Actually, as the system is, it could.  There was an arcticle on
> > this some time
> > ago...
> >
> > Certain parts of the package are signed but there is no automated checking
> > of those signatures AFAIK.
> >
> Well this would not be a big thing, would it? When I take a look at the ftp
> server, there is a .dsc with pgp signatures for each package. So letting
> dselect / aptitude or better dpkg-get doing a check for the key via gpg
> would be no big deal, or am I wrong? As there are many mirrors worldwide,
> that could be hacked or something, it would be a huge security improvement.

The main problem is presumably with trust of the keys. If all the debian
developers / package maintainers had keys signed by a central debian key
- they you still have to trust that debian key. Events like debconf
could certainly be used to check fingerprints and sign keys - but that
still leaves a lot of ppl without an easy way to check. At some point
you have to draw the line though. I think that distributing the public
key with the base install is probably acceptible (if thats been
compromised, then you're in a whole lot of other trouble) - particularly
if you check it against a centralised copy - and make sure its not

This would also make for some interesting varients on package
distribution. If a main mirror just held the gpg signatures, then it
doesn't matter where else you get the packages from (ie random other
servers, peer-to-peer networks, etc) - you could get the (really small
bandwith) sigs from the main site. (on reflection even this isn't
neccessary with authentication from the correct key)

I certainly would feel somewhat better with security related things, if
I knew that this was done.
Matthew Johnson. <mjj29@cam.ac.uk>

"They that would give up essential liberty for temporary safety
deserve neither liberty nor safety."
-- Benjamin Franklin

PGP Key ID: 0x5BE86FB9

-----BEGIN GEEK CODE BLOCK-----     | Campaign for  _  _|  __
GCS/M d-(--) s: a--(?) C++ P--      | Digital      /  / | |
UL++(++++) L+++ E---- W+++ N++ K-   | Rights!      \_ \_| |
w--- M- PS- PE PGP+++ t+ 5 X- R     | http://uk.eurorights.org/
tv-- b++++ DI D++ G e>++++ h !r y-

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: