Re: apt 0.6 and how it does *not* solve the problem

[Jan Niehusmann <jan@debian.org>]

On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote:
> Debian did not have package signatures for years, and it's been
> rarely a problem. Now we are going to add them, but the sole effect
> is that of a false security feeling. To me, APT 0.6 is snake oil,
> which is *not* an offence to the guys behind apt-secure. It's
> a criticism of the organisation as a whole, and it's a rant without
> a solution that I can propose.

While you have a point that the huge number of people with full write
access to the archive is a problem, I still think that apt 0.6 serves a
purpose: It makes local mirrors more secure.

And that is an important point: While an attack agains central debian
infrastructure could compromise a huge number of users at once, it's
likely to get detected quite soon. Therefore, it's a likely target for
some random hacker group trying to get mentioned on slashdot.  But more
dangerous attackers, like companies trying to spy on their competitors,
are more likely to target a local mirror. And a compromise of a local
mirror, perhaps modifying it in a way that it only gives modified
packages to a certain client, is very likely to stay undetected for a
long time. But that's exactly the kind of compromise which would be
caught by apt 0.6 immediately.

> I think, adding package signatures will actually make Debian less
> secure than it was before, although it's doubtful that the average
> user will notice or care.

I don't think so. It's just very important to understand that apt can
only close a few attack vectors.

Jan