Your message dated Fri, 20 Feb 2009 11:34:03 +0100 (CET)
with message-id <[email protected]>
and subject line Re: Bug#515942: is/can secure-apt be used?
has caused the Debian Bug report #515942,
regarding is/can secure-apt be used?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
515942: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515942
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt-file
Version: 2.2.2
Severity: wishlist
Hi.
As apt-file loads information from the internet, I wondered:
Is secure-apt used and if not, can it be used?
e.g. the Contents files,... are they secured by the signed Release files?
apt-file should check this (and then depend on
debian-archive-keyring), and bail out when something doesn't verify.
In addition: It should use ONLY the secure hashes provided. Especially
MD5 is now really broken, IMHO. If for a file only MD5 was provided,
I'd consider it as invalid, as well.
Thanks,
Chris.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt-file depends on:
ii curl 7.18.2-8 Get a file from an HTTP, HTTPS or
ii libapt-pkg-perl 0.1.22+b1 Perl interface to libapt-pkg
ii libconfig-file-perl 1.50-1 Parses simple configuration files
ii liblist-moreutils-perl 0.22-1+b1 Addition list functions not found
ii perl 5.10.0-19 Larry Wall's Practical Extraction
Versions of packages apt-file recommends:
ii menu 2.1.41 generates programs menu
for all me
Versions of packages apt-file suggests:
ii openssh-client 1:5.1p1-5 secure shell client, an
rlogin/rsh
ii sudo 1.6.9p17-2 Provide limited super
user privile
-- no debconf information
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--- End Message ---
--- Begin Message ---
On Thu, February 19, 2009 18:43, Christoph Anton Mitterer wrote:
>> The Release files do not currently sign the Contents files. I cannot
>> think of what we should gain with doing that.
> ...anyway should these be ever signed (perhaps this can be requested)
> it's generally worth to secure things. It doesn't cost much, and makes
> everything more secure. Perhaps we cannot even think right now about
> possible scenarios, where information provided by apt-file might be indeed
> security critical.
As the Release files don't currently sign Contents files, there's not much
we can do about this in apt-file, so I'm closing the bug. As I believe
there are better ways to spend our time on securing Debian I'm not
pursuing the issue further, but of course, feel free to try and get the
archive sign the Contents files. Once that is the case we can reopen this
bug to see if we can implement a check for it.
cheers,
Thijs
--- End Message ---
