Re: Integrity of Debian packages
Putting aside the signing of deb packages - The
article is a wee bit simplistic.
The fact that the author is stating that a win
box is not vulnerable would indicate a fairly
large gap in understanding.
If someone has root/Administrator access on a box,
they can bypass any integrity checking mechanism
to install any piece of software they want to.
It's just a matter of working out how to do it.
The whole thing of signing packages is more aimed
at the threat of me, the authorised administrator
of my Debian/Windows system, downloading a
package that has been compromised. As the root
user, I should have a mechanism to validate the
integrity of the package.
Completely different threat that is being managed.
And every OS is vulnerable to the threat in the
article - that's why we all get so paranoid about
patches.
Cheers,
Berin
>
> From: Andrew Pollock <debian-lists@andrew.net.au>
> Subject: Integrity of Debian packages
> Date: 07/03/2003 12:33:15
> To: debian-security@lists.debian.org
>
> Hi,
>
> One of my friends sent me this URL, it's an oldie, and the topic in
> general has been discussed before, but this article certainly does raise
> some concerns.
>
> http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml
>
> Andrew
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
This message was sent through MyMail http://www.mymail.com.au
Reply to: