Re: dselect / apt-get and packages
Quoting Marcel Weber (mmweber@ncpro.com):
>> Certain parts of the package are signed but there is no automated checking
>> of those signatures AFAIK.
>
> Well this would not be a big thing, would it? When I take a look at
> the ftp server, there is a .dsc with pgp signatures for each package.
> So letting dselect / aptitude or better dpkg-get doing a check for the
> key via gpg would be no big deal, or am I wrong?
There's a pretty well-tested patch for dpkg to check signatures using
debsig-verify at installation time:
http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
For reasons that will be obvious when you read that post, using the
patch will remain a real pain in the ass unless/until no packages remain
that are unsigned.
Also, the problem of ensuring that you get meaningful assurance (e.g.,
can distinguish a trustworthy signature from one that isn't) is more
subtle than most people assume.
> As there are many mirrors worldwide, that could be hacked or
> something, it would be a huge security improvement.
And this is perhaps a bit less of a problem that you may be assuming.
The key (as usual) is to contemplate the threat model. If you're
talking about trojaned packages placed on a mirror, it's unlikely
they'd remain past the next rsync remirror.
--
Cheers, There are only 10 types of people in this world --
Rick Moen those who understand binary arithmetic and those who don't.
rick@linuxmafia.com
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: