Your message dated Sun, 10 May 2009 22:38:50 +0200
with message-id <20090510203850.ga13...@rivendell>
and subject line Re: Bug#523745: please log sha1sum of installed debs
has caused the Debian Bug report #523745,
regarding please log sha1sum of installed debs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
523745: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523745
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: dpkg
severity: wishlist
tags: security
version: 1.14.25
Hi,
during a discussion about how to compromise the security of a Debian system I
noticed that /var/log/dpkg.log just logs the version number of the packages
installed, thus one can inject a on-the-fly-modified .deb with the same
version number (provided the user ignores an apt authentication warning),
which does harmful things and cleans up after itself with no trace on the
machine, even if /var/log/dpkg.log is stored securily, ie with capabilities.
Please add an option to log the sha1sum of installed binary packgaes
in /var/log/dpkg.log.
Thanks.
regards,
Holger
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Mon, 13 Apr 2009, Guillem Jover wrote:
> So we should either just close this or merge with the rest of bugs
> related to deb signing.
Agreed, closing now.
Cheers,
--
Raphaël Hertzog
Contribuez à Debian et gagnez un cahier de l'admin Debian Lenny :
http://www.ouaza.com/wp/2009/03/02/contribuer-a-debian-gagner-un-livre/
--- End Message ---
