Re: Howto verify packages with apt-get (gpg?)
On Saturday 30 November 2002 12:28, Fred Bowman wrote:
> Benjamin Schulz schrieb:
> >>how can i proof, that the package is ok? md5sum is not
> >> satisfactory.
> >
> > why not?
>
> imagine that a package, which is provided on a server, is manipulated
> (trojan). there would be no problem for the bad guy to manipulate the
> md5sum, too (if provided on the same server). he just has to build it
> from the new package (trojan) and then replace the old one with the
> new. signatures of files can not be as easily manipulated as md5sums.
> therefore you need to have the secret key and passphrase to sign the
> new package.
That's true but, if you're trojaning a package, you might as well create
a new keypair with the same name an address as the original, and many,
if not most, will not see the difference. It's just a speed bump.
What we really need is a tight web-of-trust, that includes not only
developers, but users need to be able to meet developers to get
integrated in the web-of-trust.
It is quite likely that free software will be attacked with trojans more
in the future, so it seems like this is rather urgent.
Of course, it won't guarantee that no trojan will be inserted, but at
least there is human looking at the code before s/he signs it, at that
does help a lot.
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/
Reply to: