[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy



Thanks.

I'm new here. I was not on this list then. However, I just read the thread:

https://lists.debian.org/debian-security/2011/01/msg00002.html

I saw that some of my concerns were mentioned there about obtaining and verifying installation media, MITM attacks, etc.

I have previously verified installation media via the methods described in the FAQ, downloading GPG keys, etc. and still
had an issue of having aptitude telling me that all available packages are from untrusted sources. (This was some years
ago when I had this issue)

I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about installing security updates.

Maybe there should be written a document that describes in detail in easy to understand language what steps to take to
verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not
been compromised.

It is the job of the NSA to be able to compromise systems. We should make that task as difficult as possible at every level
and also be able to easily verify that our system has not been corrupted.

I think having a good guide to checking your installed Debian system would be of use. Particularly useful would be instructions
to check to see if your system has been compromised by validating all already installed packages. MS Windows has an option
to check installed Windows components.


Some relevant links that I have previously discovered:

https://wiki.debian.org/Keysigning
https://wiki.debian.org/Keysigning/Coordination
http://www.debian.org/CD/verify
http://www.debian.org/CD/faq/#verify


On Wed, Jul 9, 2014 at 8:11 PM, Michael Stone <mstone@debian.org> wrote:
On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote:
For years I have been concerned with MITM attacks on Debian mirrors.

We discussed this literally within the past couple of months on this list, at length. Have you read the archives, including the posts about how to establish a trust path to the ISOs?

Mike Stone



--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20140710021124.GA27544@mathom.us" target="_blank">https://lists.debian.org/20140710021124.GA27544@mathom.us



Reply to: