[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian mirrors and MITM

On vr, 2014-05-30 at 10:53 -0400, Michael Stone wrote:
> On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
> >Sorry for asking questions.
> Don't apologize for asking questions, it's perfectly reasonable to do so 
> and you'll find that many people in debian are more than happy to answer 
> questions. Just make sure that you put in enough effort yourself to 
> ensure that you can actually engage constructively when you get an 
> answer. (And if some of the answers point to documentation, make sure 
> that you can't find the answers in the documentation.)

While Alfie should have done some homework first (at least asked Google
for example, but who didn't made that mistake?) there is some loophole
currently. It was discusses shortly a while ago on IRC and done away as
not important, but the loophole still exist as far as I'm aware of it.

What basically is missing for a running system is repository signing key
pinning for packages that would "prevent" that a third party repository
could upgrade components provided by the base OS. How many of us didn't
added debian-multimedia.org repositories and their PGP-keys to our
systems in the past? How many of us didn't added some weird PPA? And who
did remove remove both repo-lines AND PGP-keys when not needed anymore?
And how many of those keys have proper rollover/revoke/maintenance

Currently Debian checks if a package is signed by a trusted source, but
not if the package is trusted for the package that you're going to
update. Looks like a fun excise to offer a new apt package through the
debian-multimedia infra for example and see who will notice. Or a
modified openssh-server/client package through a populair PPA-repo.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: