On 1/19/24, Max Nikulin wrote:
When adding a third-party repository, evaluate that GPG key you are
going to add really belongs to repository maintainers.
The sentence above is important to get the next phrase right.
On 19/01/2024 22:22, Albretch Mueller wrote:
On 1/19/24, Max Nikulin wrote:
Precise steps
depend on degree of your paranoia.
[...]
I have always believe that Debian’s basic assumptions about using the
Internet as a relatively secure, “private” venue are definitely more
worryingly irrational than my paranoia.
Debian does not control 3rd party repositories. It is up to users to
decide if they trust such repositories and if they trust web pages
containing an identifiers of GPG public keys.
Actually even in the case of official Debian images you need to get
identifiers of GPG keys. Do you trust https://debian.org/? Are you sure
that browser's certificate storage doesn't contain an extra certificate?
Are you sure that you are not visiting an alternative site and some
certification authority from "official" ones has not issued an
alternative debian.org certificate? A particular WiFi hotspot might have
malicious DNS and might direct you to a site looking like debian.org,
but containing another set of GPG keys and pointing to specially crafted
download links.
APT is secure even for HTTP, but it needs proper GPG keys. APT might be
insecure even for HTTPS if the user adds a malicious repository and GPG
keys for it (or if the user disables GPG signatures checks).
