package: dpkg severity: wishlist tags: security version: 1.14.25 Hi,
during a discussion about how to compromise the security of a Debian system I
noticed that /var/log/dpkg.log just logs the version number of the packages
installed, thus one can inject a on-the-fly-modified .deb with the same
version number (provided the user ignores an apt authentication warning),
which does harmful things and cleans up after itself with no trace on the
machine, even if /var/log/dpkg.log is stored securily, ie with capabilities.
Please add an option to log the sha1sum of installed binary packgaes
in /var/log/dpkg.log.
Thanks.
regards,
Holger
signature.asc
Description: This is a digitally signed message part.
