Re: apt 0.6 and how it does *not* solve the problem
On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote:
> Debian did not have package signatures for years, and it's been
> rarely a problem. Now we are going to add them, but the sole effect
> is that of a false security feeling. To me, APT 0.6 is snake oil,
> which is *not* an offence to the guys behind apt-secure. It's
> a criticism of the organisation as a whole, and it's a rant without
> a solution that I can propose.
While you have a point that the huge number of people with full write
access to the archive is a problem, I still think that apt 0.6 serves a
purpose: It makes local mirrors more secure.
And that is an important point: While an attack agains central debian
infrastructure could compromise a huge number of users at once, it's
likely to get detected quite soon. Therefore, it's a likely target for
some random hacker group trying to get mentioned on slashdot. But more
dangerous attackers, like companies trying to spy on their competitors,
are more likely to target a local mirror. And a compromise of a local
mirror, perhaps modifying it in a way that it only gives modified
packages to a certain client, is very likely to stay undetected for a
long time. But that's exactly the kind of compromise which would be
caught by apt 0.6 immediately.
> I think, adding package signatures will actually make Debian less
> secure than it was before, although it's doubtful that the average
> user will notice or care.
I don't think so. It's just very important to understand that apt can
only close a few attack vectors.