Bug#413070: notes on security

[Jari Aalto <jari.aalto@cante.net>]

Christoph Anton Mitterer
<christoph.anton.mitterer@physik.uni-muenchen.de> writes:
>> ... sources are fetched from Bazaar version control
>> repository hosted by launchpad.net. The repository's integrity isn't
>> compromized while the cloning, the download, happends.
>
> I mean regardless of whether you download a tgz or something from  VCS,...
> this means, that without additional checking, installation of a debian
> package introduces unverified code, or not?

Does any of these answer the concerns?

1. Originality of the 4.3a sources?

   They are the same on disk as they are at the launchpad.net bzr
   repository (the cloning process; repository download, is in itself a
   "verification process"). This is different from the possibliity to
   grab tar.gz files from hosts all over the world (mirrors). There you
   need *.gpg signature files to verify integrity.

   The 4.3a sources itself are open for review.

2. tc-installer and patches?

   The process applies patches to support later kernels.

   The patches are protected by GPG signature of the whole
   tc-install*.deb package; inside which they are.

3. Produced *.deb packages that the installer produces?

   The produced truecrypt *.deb packages are made by the standard Debian
   packaging commands. They are locally issued by the user who runs
   tc-dpkg(1) command.

   The build process runs Truecrypt selfcheck; to check the encryption
   algorithms.

   The security of the *.deb packages to enable Truecrypt is under his
   control.

Jari