Bug#945283: users should check whether they get same packages as all other users get
Hi,
On Fri, Nov 22, 2019 at 03:20:45PM +0300, dinar qurbanov wrote:
> so, in order to serve a package with malware to a
> user, disrtribution/repository admins would have to also serve wrong
> "packages" and "release" files to him. so, if user checks the
> "release" file, that it is ok, enough, he can be sure that packages
> are also ok.
There is also the Release.gpg and InRelease files, which contain a PGP
signature for the data in the Release file, anchoring the trust chain in a
public key distributed inside the Debian installer, so an attacker cannot
generate a Release file that will be accepted by apt.
It is possible to delay updates by several days as apt accepts older
timestamps on Release files, precisely so out-of-date mirrors can be used
for noncritical updates. The security updates are distributed centrally,
and the timestamp on those files is checked more stringently (the Release
file on the security mirror has a Valid-Until field, after that time apt
requires that package lists are refreshed).
> from point of view of users, debian
> may have to send malware to some users by government request. if to
> say about all distributions, there may be malicious distributions.
There is only one central point by which packages enter the mirror network,
so comparing packages across mirrors does not give any advantage. If the
central point is compromised, all mirrors are, if individual mirrors are
compromised, these are unable to serve packages at all, because they do not
have a valid signed Release file.
Simon
Reply to: