-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph Anton Mitterer schrieb: > By the way,.. a similar problem is also present in many other packages. > Let me just name a few concrete examples so that you get a feeling on > what I mean. > > > > 1) debootstrap/cdebootstrap > IIRC, only cdeboostrap requires a keyring per default (or did it always > use debian-archive-keyring?) > Anyway,... while deboostrap supports verifying signatures and specifying > a keyring,.. it doesn't to so per default. > Neither does it fail if just nothing is specified (it should only work > with verification, if some special parameter e.g. --dont-verify-sigs is > given). > I've filed a bug for this some time ago,... (and unfortunately a 2nd one > recently) but it does not seem that upstream is willing to change this > behaviour. > > > 2) pbuilder and piuparts (and probably the debian buildd's, too) create > chroots to build the packages, and I think they're using one of the > aboves for this. > Per default they're not configured to use them (well at least > debootstrap) with signatures. > => Building packages may lead to installation and execution of malicious > packages. > > I've filed bugs for at least pbuilder and piuparts. > > > 3) aptitude > Well I'm not sure here as I haven't had the time to read the code. > For some actions (install/upgrade/dist-upgrade) it uses secure-apt as it > simply uses apt-get (IIRC). > > But what about actions not provided by apt-get, like aptitude download > <package>. > So far I was not able to find out whether this uses secure apt or not. > > > 4) apt-file (which I like very much) > The Contents files are not yet signed AFAIK,.. and thus it cannot do any > verification.
There are so many scenarios where we are not able to verify any signatures (upstream does not provide any kind of verification) or where it is non-sens. If we are so pedantic about this topic, we should also ask ourself, if packages like wget, curl, ncftp, ftp etc fullfil the security requirements. We can not secure *everything*, but the most important parts, which Debian itself controls. - -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer E-Mail: pmatth...@debian.org patr...@linux-dev.org Comment: Always if we think we are right, we were maybe wrong. */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkq5JD0ACgkQ2XA5inpabMfJYQCfba6GxGaOkzct0yN9iRvU/f6j 4nIAnAtayYfmdpYWgF9EZX/zE2J+8fHf =35fe -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org