Re: Integrity of Debian packages

To: debian-security@lists.debian.org
Subject: Re: Integrity of Debian packages
From: <berin@ozemail.com.au>
Date: Fri, 7 Mar 2003 13:19:06 +1100
Message-id: <20030307021906.FDSO557.mta06.mail.mel.aone.net.au@[127.0.0.1]>

Putting aside the signing of deb packages - The 
article is a wee bit simplistic.

The fact that the author is stating that a win
box is not vulnerable would indicate a fairly
large gap in understanding.

If someone has root/Administrator access on a box,
they can bypass any integrity checking mechanism
to install any piece of software they want to.

It's just a matter of working out how to do it.

The whole thing of signing packages is more aimed
at the threat of me, the authorised administrator
of my Debian/Windows system, downloading a
package that has been compromised.  As the root
user, I should have a mechanism to validate the 
integrity of the package.

Completely different threat that is being managed.

And every OS is vulnerable to the threat in the
article - that's why we all get so paranoid about
patches.

Cheers,
    Berin

> 
> From: Andrew Pollock <debian-lists@andrew.net.au>
> Subject: Integrity of Debian packages
> Date: 07/03/2003 12:33:15
> To: debian-security@lists.debian.org
> 
> Hi,
> 
> One of my friends sent me this URL, it's an oldie, and the topic in 
> general has been discussed before, but this article certainly does raise 
> some concerns.
> 
> http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml
> 
> Andrew
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

This message was sent through MyMail http://www.mymail.com.au

Reply to:

Prev by Date: Integrity of Debian packages
Next by Date: Re: [work] Integrity of Debian packages
Previous by thread: Re: Integrity of Debian packages
Next by thread: Re: Integrity of Debian packages
Index(es):
- Date
- Thread