Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Security of auto updates; was Debian/Mandrake


On Mon, Aug 14, 2000 at 02:31:58PM +1000, Roland Turner wrote:
> Michael Lake wrote:
> 
> > What are the security implications, is rpm update or apt
> > get-install written in such a way to not pose a problem, am
> > I being too paranoid?
> 
> The honest answer is "I don't know". I do know that Debian packages are
> signed, so it is possible to confirm that the packages that are being
> downloaded are signed by trusted developers (or at least, that the

No, that's a myth. A good comparision is at 
<URL: http://www.kitenet.net/~joey/pkg-comp/>. In Debian the .changes and the
.dsc file are signed by the developer. Package signing will happen according
to <URL: http://www.debian.org/News/weekly/2000/24/>

> into installing). I don't know whether this is actually being checked.
> In any event, it would probably easier for an intruder to insert bad
> code into a program that runs as root and have it included into Debian,
> than to spoof your download.
> 
> I suspect that this is part of a broad trust issue that depends upon
> reputation (thus Debian's strong requriements on identifying
> developers). 

Interesting you should pick up on them. The only "strength" to Debian
identification process is that you ought to have your key signed by
another developer. That has (recently) been loosened. Examine:
<URL: http://www.debian.org/devel/join/nm-step2> there are a number
of problems with the guidelines listed there.

Cheers,
Anand