Re: concrete steps for improving apt downloading security and privacy

To: debian-security@lists.debian.org
Subject: Re: concrete steps for improving apt downloading security and privacy
From: Michael Stone <mstone@debian.org>
Date: Tue, 15 Jul 2014 16:44:03 -0400
Message-id: <[🔎] 934303a6-0c60-11e4-b95c-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 53C58E06.3030808@at.or.at>
References: <[🔎] CACJnc4hN93PJHuWm_GU-sXASW-65OaDtNJL6jH0gumqbyLsv8Q@mail.gmail.com> <[🔎] 53C40446.8010309@at.or.at> <[🔎] CAKTje6Fk+8zDHmQRsqYLDe0ABAb8q2OMrnRmvyhp2OyYFe=wbQ@mail.gmail.com> <[🔎] 53C40932.4070002@at.or.at> <[🔎] b0a0301e-0b79-11e4-8363-00163eeb5320@msgid.mathom.us> <[🔎] 53C411C2.4070108@at.or.at> <[🔎] d4a2c78e-0b7d-11e4-b7fa-00163eeb5320@msgid.mathom.us> <[🔎] 53C564A8.4000602@at.or.at> <[🔎] 6e73f5b0-0c49-11e4-ac7f-00163eeb5320@msgid.mathom.us> <[🔎] 53C58E06.3030808@at.or.at>

On Tue, Jul 15, 2014 at 04:24:38PM -0400, Hans-Christoph Steiner wrote:

I'm not saying that adding .deb signature validation to `dpkg -i` would be
trivial and without risk.  But the idea of validating signed package files on
install is hardly revolutionary or even novel any more. Indeed it is pretty
widespread: think Android, Fedora, Java, iOS, etc.  I think it is the cleanest
approach for the problem that I've outlined.

Except that you haven't addressed *at all* why the current mechanism isinsufficient, except that you don't like it and want to do somethingelse instead. You understand why that argument isn't particularlycompelling.


Mike Stone

Reply to:

Follow-Ups:
- Re: concrete steps for improving apt downloading security and privacy
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Re: concrete steps for improving apt downloading security and privacy
  - From: Kitty Cat <realizar.la.paz@gmail.com>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Paul Wise <pabs@debian.org>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Michael Stone <mstone@debian.org>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Michael Stone <mstone@debian.org>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Michael Stone <mstone@debian.org>
- Re: concrete steps for improving apt downloading security and privacy
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: concrete steps for improving apt downloading security and privacy
Next by Date: Re: concrete steps for improving apt downloading security and privacy
Previous by thread: Re: concrete steps for improving apt downloading security and privacy
Next by thread: Re: concrete steps for improving apt downloading security and privacy
Index(es):
- Date
- Thread