On vr, 2014-05-30 at 10:53 -0400, Michael Stone wrote: > On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote: > >Sorry for asking questions. > > Don't apologize for asking questions, it's perfectly reasonable to do so > and you'll find that many people in debian are more than happy to answer > questions. Just make sure that you put in enough effort yourself to > ensure that you can actually engage constructively when you get an > answer. (And if some of the answers point to documentation, make sure > that you can't find the answers in the documentation.) While Alfie should have done some homework first (at least asked Google for example, but who didn't made that mistake?) there is some loophole currently. It was discusses shortly a while ago on IRC and done away as not important, but the loophole still exist as far as I'm aware of it. What basically is missing for a running system is repository signing key pinning for packages that would "prevent" that a third party repository could upgrade components provided by the base OS. How many of us didn't added debian-multimedia.org repositories and their PGP-keys to our systems in the past? How many of us didn't added some weird PPA? And who did remove remove both repo-lines AND PGP-keys when not needed anymore? And how many of those keys have proper rollover/revoke/maintenance procedure? Currently Debian checks if a package is signed by a trusted source, but not if the package is trusted for the package that you're going to update. Looks like a fun excise to offer a new apt package through the debian-multimedia infra for example and see who will notice. Or a modified openssh-server/client package through a populair PPA-repo. Hans
Attachment:
signature.asc
Description: This is a digitally signed message part