[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 and how it does *not* solve the problem

On Mon, Aug 23, 2004 at 01:03:54AM +0200, martin f krafft wrote:
> So if I wanted to attack 80% of all Debian machines all over the
> world, I would try to compromise one of the 1000 keys, thereby
> getting write access to the incoming queue. Then, I could NMU
> a package and upload a trojaned version, best one that waits a year
> before activating, just to make sure I actually hit stable.

What about a --paranoid option, which makes apt warn on several
(slightly) suspicious changes:

- NMUs
- changes of maintainership
- new maintainers (not maintaners new to debian, but maintainers I didn't
  implicitly trust before by having installed one of their packages)

To make the last point more useful, one could add a concept of secondary
signatures, and ask developers to review and certify packages of other
developers. This could potentially reduce the number of developers one
has to trust for a given installation.

To give some numbers: On my laptop, which runs sid, and some packages
from experimental, I have 1332 installed packages by 407 different
maintainers. Not counting NMUs and ignoring groups of people (eg. "Debian
GCC maintainers"), I'd be only vulnerable if one of these 407 keys are
compromised. But 331 of these 407 maintainers have less than 5
packages installed on my computer, and 189 have only one. I guess this
number could be vastly reduced by secondary signatures, bringing the
number of people I'd have to trust down to, perhaps, 100-200. While this
is still a large number, it's much better than 1000. (BTW I didn't
verify this number - do we really have 1000 developers by now?)

Please don't consider this as a proposal - it's just a spontanous idea,
which may not be feasible. But then, perhaps it has some potential, so I
wanted to share it.


Reply to: