Bug#66542: marked as done (apt: security features that would be nice in apt-get and related tools)
Your message dated Fri, 30 Jun 2000 20:09:22 -0600 (MDT)
with message-id <[🔎] Pine.LNX.3.96.1000630200455.30430B-100000@wakko.deltatee.com>
and subject line Bug#66542: apt: security features that would be nice in apt-get and related tools
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Jun 2000 16:19:49 +0000
>From bkuhn@ebb.org Fri Jun 30 11:19:49 2000
Return-path: <bkuhn@ebb.org>
Received: from agnostic.ebb.org [206.112.217.56] (root)
by master.debian.org with esmtp (Exim 3.12 2 (Debian))
id 1383W8-0004O6-00; Fri, 30 Jun 2000 11:19:49 -0500
Received: from atheist (mail@atheist [10.0.0.40])
by agnostic.ebb.org (8.8.7/8.8.7) with ESMTP id MAA03052
for <submit@bugs.debian.org>; Fri, 30 Jun 2000 12:19:45 -0400
Received: from bkuhn by atheist with local (Exim 2.05 #1 (Debian))
id 1383W4-00011h-00; Fri, 30 Jun 2000 12:19:44 -0400
Date: Fri, 30 Jun 2000 12:19:44 -0400
From: "Bradley M. Kuhn" <bkuhn@ebb.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: security features that would be nice in apt-get and related tools
Message-ID: <[🔎] 20000630121944.A3845@ebb.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP"
X-Mailer: Mutt 1.0i
X-Reportbug-Version: 0.54
X-No-Archive: yes
Delivered-To: submit@bugs.debian.org
--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Package: apt
Version: 0.3.19
Severity: wishlist
I am very security conscious, and I do know that apt-get/dpkg is checking
md5sums based on those listed in /var/lib/dpkg/available.
However, I have two features that I think would be nice for those of us who
are paranoid about making sure we are really downloading the binaries that
the developer installed.
(0) It would be great if apt-get had a "security verbosity" flag. I just
get a good feeling when I see something like:
m5sum from /var/lib/dpkg/available: xxxxxxx
m5sum from foo.deb: xxxxxxx
MATCH!
(1) It would be great if the package list (i.e., /var/lib/dpkg/available)
were somehow GPG signed by someone on the Debian keyring, and if the
user used --with-gpg or some such option, that signature was checked
each time `apt-get update' was run.
And, related to (0), if `apt-get update' said something like (when
"security verbosity" was turned on)
GPG signature of Foobar checked and is valid on Packages file from xxx
-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux atheist 2.2.14 #8 Tue Jan 11 21:25:15 EST 2000 i586
Versions of packages apt depends on:
ii libc6 2.1.3-10 GNU C Library: Shared libraries an
ii libstdc++2.10 1:2.95.2-4 The GNU stdc++ library
--
Bradley M. Kuhn - http://www.ebb.org/bkuhn
--5mCyUwZo2JvN/JJP
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5XMif53XjJNtBs4cRAbl1AKDJgWYWsfqhYgUEnraI7Q0Mg8MxrwCg0Fxv
DEUjatc3B4ijxfTnmFsdHNc=
=0xZ4
-----END PGP SIGNATURE-----
--5mCyUwZo2JvN/JJP--
---------------------------------------
Received: (at 66542-done) by bugs.debian.org; 1 Jul 2000 02:09:46 +0000
>From jgg@ualberta.ca Fri Jun 30 21:09:46 2000
Return-path: <jgg@ualberta.ca>
Received: from tmmi197-073.telusvelocity.net (wakko.deltatee.com) [209.115.197.73] (mail)
by master.debian.org with esmtp (Exim 3.12 2 (Debian))
id 138Cj3-0007JN-00; Fri, 30 Jun 2000 21:09:45 -0500
Received: from localhost (wakko.deltatee.com) [127.0.0.1] (jgg)
by wakko.deltatee.com with smtp (Exim 2.11 #1)
id 138Cih-0007vj-00 (Debian); Fri, 30 Jun 2000 20:09:23 -0600
Date: Fri, 30 Jun 2000 20:09:22 -0600 (MDT)
From: Jason Gunthorpe <jgg@ualberta.ca>
X-Sender: jgg@wakko.deltatee.com
To: "Bradley M. Kuhn" <bkuhn@ebb.org>, 66542-done@bugs.debian.org
cc: APT Development Team <deity@lists.debian.org>
Subject: Re: Bug#66542: apt: security features that would be nice in apt-get and related tools
In-Reply-To: <[🔎] 20000630121944.A3845@ebb.org>
Message-ID: <[🔎] Pine.LNX.3.96.1000630200455.30430B-100000@wakko.deltatee.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 66542-done@bugs.debian.org
On Fri, 30 Jun 2000, Bradley M. Kuhn wrote:
> (0) It would be great if apt-get had a "security verbosity" flag. I just
> get a good feeling when I see something like:
> m5sum from /var/lib/dpkg/available: xxxxxxx
> m5sum from foo.deb: xxxxxxx
> MATCH!
You are kidding right? Even GPG doesn't show the digests of the messages
it is checking!
> (1) It would be great if the package list (i.e., /var/lib/dpkg/available)
> were somehow GPG signed by someone on the Debian keyring, and if the
This, in various forms has been proposed but cannot be implemented without
archive support which is somewhat complicated for alot of reasons.
Jason
Reply to: