Re: dinstall and PGP

[Adam Klein]

On Tue, Apr 14, 1998 at 12:34:43AM +0200, Marco d'Itri wrote:
> On Apr 09, Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> 
>  >Those files are small. One can copy them back easily (using
>  > ftp, even), sign them locally, and upload two tiny files.
> That's not enough. After I signed the .changes and .dsc files (and moved
> back the other files from REJECT/) I received that from dinstall:
> 
> Rejected: md5sum failed
> md5sum: MD5 check failed for 'binkd_0.9.2-3.dsc'
> 
> Looks like I have to sign the .dsc, generate the new md5 hash with md5sum,
> manually edit the .changes file and sign it.

I've got a little shell script I use that seems to work okay.  I can
send it to you if you'd like.

Adam Klein


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Marco d'Itri]

On Apr 09, Manoj Srivastava <[EMAIL PROTECTED]> wrote:

 >  Those files are small. One can copy them back easily (using
 > ftp, even), sign them locally, and upload two tiny files.
That's not enough. After I signed the .changes and .dsc files (and moved
back the other files from REJECT/) I received that from dinstall:

Rejected: md5sum failed
md5sum: MD5 check failed for 'binkd_0.9.2-3.dsc'

Looks like I have to sign the .dsc, generate the new md5 hash with md5sum,
manually edit the .changes file and sign it.

-- 
ciao,
Marco


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Roman Hodek]

> Can someone hack dinstall to install packages which are not PGP
> signed but has been copied to incoming? If the UID of the files is
> the one of a developer we can know who did upload the package.

No, because the upload queues also use known UIDs, but may allow
everyone to upload. (BTW, the queues in Erlangen and open.hands.com
require the files to be PGP-signed.)

Roman


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Manoj Srivastava]

Hi,
>>"Marco" == Marco d'Itri <[EMAIL PROTECTED]> writes:

Marco> On Apr 08, Vincent Renardias <[EMAIL PROTECTED]> wrote:

>> Anyway, I fail to see WHY we should allow non PGP signed packages.
Marco> Because it's not easy to sign .dsc and .changes files via a ssh
Marco> pipe when compiling packages on va. This is impossible when my
Marco> workstation is behind a firewall and I can't open ssh
Marco> connections to it.

Those files are small. One can copy them back easily (using
 ftp, even), sign them locally, and upload two tiny files.

Not enough to justify allowing non-pgp signed stuff. Am I
 missing something? 

manoj
-- 
 "Why do men go to war?  Because women are watching." Eliot
Manoj Srivastava  <[EMAIL PROTECTED]> 
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Marco d'Itri]

On Apr 08, Vincent Renardias <[EMAIL PROTECTED]> wrote:

 >Definatly not an option, since people uploading anonymously to chiark
 >would be able to upload whatever in the distribution since the files
 >arrive in Incoming/ with IanJ's UID (also hold for other upload queues).
We could maintain a list of exceptions (or even better, al list of allowed
IDs).

 >Anyway, I fail to see WHY we should allow non PGP signed packages.
Because it's not easy to sign .dsc and .changes files via a ssh pipe when
compiling packages on va.
This is impossible when my workstation is behind a firewall and I can't
open ssh connections to it.

-- 
ciao,
Marco


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Fabien Ninoles]

On Wed, Apr 08, 1998 at 08:50:56PM +0100, Enrique Zanardi wrote:
> On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote:
> > Can someone hack dinstall to install packages which are not PGP signed
> > but has been copied to incoming? If the UID of the files is the one of a
> > developer we can know who did upload the package.
> 
> No. We know which account the uploader used. (Even that is not true. The
> uploader may have changed the UID if he obtained root privileges, but
> then he can bypass dinstall). And what about packages uploaded to chiar
> or erlangen?
> 
> We should be talking about improving our security instead (by signing the 
> packages, and not the .changes file). One of these days we will find
> trojan horses in Debian packages at compromised mirror sites, and will
> have to hear all that "But, RPM packages are PGPsigned..." stuff again
> and again.
> 

Signing changes files are enough because of the md5sums contained in
the changed and md5 are an algorithm of mostly the same strength as
the one used by pgp for signing up (only the ID are better encrypt),
pratically speaking. For better checkup, check for dpkg-cert... I
think it also check for the integrity of the files in the systems.

So to speak, it was really to find a file that have the same md5 sums
than an other one, to find one that's represent something is frankly
harder, and to find one that can also do real harms is like finding a
neutrinos: something that it's easier to think is an error that it's
true.

-- 

Fabien Ninoles  Running Debian/GNU Linux
E-mail:[EMAIL PROTECTED]
WebPage:  http://www.callisto.si.usherb.ca/~94246757
WorkStation [available when connected!]: http://nightbird.tzone.org/
RSA PGP KEY [E3723845]: 1C C1 4F A6 EE E5 4D 99  4F 80 2D 2D 1F 85 C1 70



pgpjSrg0EnJ2U.pgp
Description: PGP signature

Re: dinstall and PGP

[Vincent Renardias]

On Wed, 8 Apr 1998, Marco d'Itri wrote:

> Can someone hack dinstall to install packages which are not PGP signed
> but has been copied to incoming? If the UID of the files is the one of a
> developer we can know who did upload the package.

Definatly not an option, since people uploading anonymously to chiark
would be able to upload whatever in the distribution since the files
arrive in Incoming/ with IanJ's UID (also hold for other upload queues).

Anyway, I fail to see WHY we should allow non PGP signed packages.

Cordialement,

-- 
- Vincent RENARDIAS [EMAIL PROTECTED],pipo.com,debian.org} -
- Debian/GNU Linux:   Pipo:WAW:   -
- http://www.fr.debian.orghttp://www.pipo.com  http://www.waw.com -
---
- "La fonctionnalite Son Visuel vous delivre des avertissements visuels." -
-  [Message durant l'installation de Windows95]:wq 



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dinstall and PGP

[Enrique Zanardi]

On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote:
> Can someone hack dinstall to install packages which are not PGP signed
> but has been copied to incoming? If the UID of the files is the one of a
> developer we can know who did upload the package.

No. We know which account the uploader used. (Even that is not true. The
uploader may have changed the UID if he obtained root privileges, but
then he can bypass dinstall). And what about packages uploaded to chiar
or erlangen?

We should be talking about improving our security instead (by signing the 
packages, and not the .changes file). One of these days we will find
trojan horses in Debian packages at compromised mirror sites, and will
have to hear all that "But, RPM packages are PGPsigned..." stuff again
and again.

--
Enrique Zanardi[EMAIL PROTECTED]
Dpto. Fisica Fundamental y Experimental Univ. de La Laguna


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

dinstall and PGP

[Marco d'Itri]

Can someone hack dinstall to install packages which are not PGP signed
but has been copied to incoming? If the UID of the files is the one of a
developer we can know who did upload the package.

-- 
ciao,
Marco


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]