Re: dselect / apt-get and packages
Quoting Marcel Weber (firstname.lastname@example.org):
>> Certain parts of the package are signed but there is no automated checking
>> of those signatures AFAIK.
> Well this would not be a big thing, would it? When I take a look at
> the ftp server, there is a .dsc with pgp signatures for each package.
> So letting dselect / aptitude or better dpkg-get doing a check for the
> key via gpg would be no big deal, or am I wrong?
There's a pretty well-tested patch for dpkg to check signatures using
debsig-verify at installation time:
For reasons that will be obvious when you read that post, using the
patch will remain a real pain in the ass unless/until no packages remain
that are unsigned.
Also, the problem of ensuring that you get meaningful assurance (e.g.,
can distinguish a trustworthy signature from one that isn't) is more
subtle than most people assume.
> As there are many mirrors worldwide, that could be hacked or
> something, it would be a huge security improvement.
And this is perhaps a bit less of a problem that you may be assuming.
The key (as usual) is to contemplate the threat model. If you're
talking about trojaned packages placed on a mirror, it's unlikely
they'd remain past the next rsync remirror.
Cheers, There are only 10 types of people in this world --
Rick Moen those who understand binary arithmetic and those who don't.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org