For years I have been concerned with MITM attacks on Debian mirrors.
I think the only valid solution would be to individually sign EACH package with a valid GPG
signature from a trusted source.
I think EACH official package from Debian should be GPG signed by both package maintainers and
also signed by official Debian release people.
My downloader resolves
http://cdimage.debian.org/ to NSA mirror site through DNS cache poisoning
or some other means. So, whatever I am downloading is already compromised. All signatures are valid
but are from the NSA.
So there is no way for me to actually check that I have downloaded valid files if everything that I see is
actually faked!
If I go edit apt sources list and manage to get an actual real Debian server update, then apt tells me that
all packages available to download are security compromised.
Or lets say that I get a real install ISO disc and then later on my apt mirror site is redirected to NSA mirror.
Apt will tell me that all packages available to download are security compromised.
One of the two scenarios above has actually happened to me!!! I don't know if it is actually the NSA but it
DID happen to me. Aptitude was telling me that every single package available for download was compromised!
Think about this for a minute. If my ISP or upstream provider is secretly cooperating with the NSA and the
NSA wants to compromise my machine, they can make it so that everything that I download is through an
NSA source!
Remember, the NSA can create VALID SSL certificates for any website on the fly.
Your web browser trusts many certificate authorities and which ones are cooperating with the NSA?
So how can we really be sure that our Debian install has not been compromised from the beginning?