Quoting Marcel Weber ([EMAIL PROTECTED]): >> Certain parts of the package are signed but there is no automated checking >> of those signatures AFAIK. > > Well this would not be a big thing, would it? When I take a look at > the ftp server, there is a .dsc with pgp signatures for each package. > So letting dselect / aptitude or better dpkg-get doing a check for the > key via gpg would be no big deal, or am I wrong?
There's a pretty well-tested patch for dpkg to check signatures using debsig-verify at installation time: http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html For reasons that will be obvious when you read that post, using the patch will remain a real pain in the ass unless/until no packages remain that are unsigned. Also, the problem of ensuring that you get meaningful assurance (e.g., can distinguish a trustworthy signature from one that isn't) is more subtle than most people assume. > As there are many mirrors worldwide, that could be hacked or > something, it would be a huge security improvement. And this is perhaps a bit less of a problem that you may be assuming. The key (as usual) is to contemplate the threat model. If you're talking about trojaned packages placed on a mirror, it's unlikely they'd remain past the next rsync remirror. -- Cheers, There are only 10 types of people in this world -- Rick Moen those who understand binary arithmetic and those who don't. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
