[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dselect / apt-get and packages

Quoting Marcel Weber (mmweber@ncpro.com):

>> Certain parts of the package are signed but there is no automated checking
>> of those signatures AFAIK.
> Well this would not be a big thing, would it? When I take a look at
> the ftp server, there is a .dsc with pgp signatures for each package.
> So letting dselect / aptitude or better dpkg-get doing a check for the
> key via gpg would be no big deal, or am I wrong?

There's a pretty well-tested patch for dpkg to check signatures using 
debsig-verify at installation time:


For reasons that will be obvious when you read that post, using the 
patch will remain a real pain in the ass unless/until no packages remain
that are unsigned.

Also, the problem of ensuring that you get meaningful assurance (e.g.,
can distinguish a trustworthy signature from one that isn't) is more
subtle than most people assume.

> As there are many mirrors worldwide, that could be hacked or
> something, it would be a huge security improvement.

And this is perhaps a bit less of a problem that you may be assuming.
The key (as usual) is to contemplate the threat model.  If you're
talking about trojaned packages placed on a mirror, it's unlikely
they'd remain past the next rsync remirror.

Cheers,            There are only 10 types of people in this world -- 
Rick Moen          those who understand binary arithmetic and those who don't.

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: