package: dpkg severity: wishlist tags: security version: 1.14.25 Hi,
during a discussion about how to compromise the security of a Debian system I noticed that /var/log/dpkg.log just logs the version number of the packages installed, thus one can inject a on-the-fly-modified .deb with the same version number (provided the user ignores an apt authentication warning), which does harmful things and cleans up after itself with no trace on the machine, even if /var/log/dpkg.log is stored securily, ie with capabilities. Please add an option to log the sha1sum of installed binary packgaes in /var/log/dpkg.log. Thanks. regards, Holger
signature.asc
Description: This is a digitally signed message part.