[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Howto verify packages with apt-get (gpg?)



> On Saturday 30 November 2002 12:28, Fred Bowman wrote:
> That's true but, if you're trojaning a package, you might as well create 
> a new keypair with the same name an address as the original, and many, 
> if not most, will not see the difference. It's just a speed bump.

  I thought debian-keyring was for that purpose. Of course, that package's
integrity needs to be verified from external sources to prevent anyone from
tampering with they keys it provides. That way just having a key with
"right" info is not enough, the attacker needs to change the key(s) in the
debian-keyring package as well.

  Considering that there are quite a number of installed copies already
around, such a change would be noticed rather quickly.

  Your other points are perfectly valid; trojans especially are likely to
become a troublesome aspect. (Just a personal opinion and hunch.)

-- 
 Mika Boström      +358-40-525-7347  \-/  "The Hell is empty,
 Bostik@lut.fi    www.lut.fi/~bostik  X    and all the devils
 Security freak, and proud of it.    /-\   are here." -W.S.

Attachment: pgp2zR7RIDNYc.pgp
Description: PGP signature


Reply to: