Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
- To: debian-security@lists.debian.org
- Subject: Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
- From: Hans-Christoph Steiner <hans@at.or.at>
- Date: Thu, 16 Oct 2014 11:25:30 -0400
- Message-id: <[🔎] 543FE36A.5070205@at.or.at>
- In-reply-to: <[🔎] 543CDE75.7050708@debian.org>
- References: <201407221617.47375.holger@layer-acht.org> <541B8750.603@at.or.at> <CAKTje6EGFXcOpT3K7C2imneW4FPxnypwQfNUMjuLZ3=k1pFh8w@mail.gmail.com> <541C005D.2010404@gmail.com> <541C2CC5.8000406@fifthhorseman.net> <541C5597.3030905@guardianproject.info> <541C5C47.3000308@fifthhorseman.net> <541C7A58.2070105@guardianproject.info> <541C812F.209@fifthhorseman.net> <54238694.6030606@guardianproject.info> <20140925035052.GA20936@fama> <5423991B.5010503@at.or.at> <[🔎] 543CDE75.7050708@debian.org>
René Mayrhofer wrote:
> On 2014-09-25 06:24, Hans-Christoph Steiner wrote:
>>
>> W. Martin Borgert wrote:
>>> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>>>> * the signature files sign the package contents, not the hash of
>>>> whole .deb file (i.e. control.tar.gz and data.tar.gz).
>>> So preinst and friends would not be signed? Sounds dangerous to me.
>> All package contents would be signed, except the signature itself. The
>> signature would be a separate file in the ar archive of the .deb that signs
>> control.tar.gz and data.tar.gz. See jar or apk format for an example of how
>> this works.
> I know I'm late to the discussion, but for the record, I fully agree
> with this approach as the probably best compromise between usability
> (don't underestimate that, see the emergence of the various "app shops"
> for Linux applications), security, and flexibility. If anybody wants to
> work on that, I'm happy to support it in the University Linz context
> (i.e. as student work, thesis, etc.) and contribute to the process
> (although, depressingly but realistically, not the implementation).
>
> Rene
Since you mention Austria, I'll be based in Vienna from Oct 30th until March
3rd, perhaps we could even arrange a dev meeting/sprint on this topic in Linz
or Vienna.
.hc
Reply to: