Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote: > Talking about secpack, is it non-free? I can't see in your mail(Clemens) > the url or apt-line to get the source package. No, it's BSD. I didn't dare to put up a license for that minimal collection. There isn't even a source package. I just dpkg-deb -b the few files with a DEBIAN/control file. See http://therapy.endorphin.org/secpack/ Regards, Clemens P.S.: Sorry for replying that late, but someone obviously removed my Cc line and I haven't been subscribed to debian-security. Just found your message accidently in the archives. pgp8f9gk5X81C.pgp Description: PGP signature
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:55, Gustavo Franco wrote: > Talking about secpack, is it non-free? I can't see in your mail(Clemens) > the url or apt-line to get the source package. No, it's BSD. I didn't dare to put up a license for that minimal collection. There isn't even a source package. I just dpkg-deb -b the few files with a DEBIAN/control file. See http://therapy.endorphin.org/secpack/ Regards, Clemens P.S.: Sorry for replying that late, but someone obviously removed my Cc line and I haven't been subscribed to debian-security. Just found your message accidently in the archives. msg07844/pgp0.pgp Description: PGP signature
RE: Automatic Debian security updates, an Implementation
Four words: Single point of failure. (Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try that again, shall we? ... ;) Besides, I strongly believe that it already does this... IIRC apt-get does this to make sure that the packages weren't corrupted (or truncated) in transit. -Ian R. Bradley Tilley hath spoke: >Why can't apt-get be modified to check the md5sum of a package against an >official debian md5sum list before downloading and installing debs? This >seems much simpler and easier than signing debs.
RE: Automatic Debian security updates, an Implementation
Four words: Single point of failure. (Or is that six? Or ten? Yes, yes, that's right, twelve words. Let's try that again, shall we? ... ;) Besides, I strongly believe that it already does this... IIRC apt-get does this to make sure that the packages weren't corrupted (or truncated) in transit. -Ian R. Bradley Tilley hath spoke: >Why can't apt-get be modified to check the md5sum of a package against an >official debian md5sum list before downloading and installing debs? This >seems much simpler and easier than signing debs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote: > Why can't apt-get be modified to check the md5sum of a package against an > official debian md5sum list before downloading and installing debs? This > seems much simpler and easier than signing debs. It does. The problem is, how to get an official debian md5sum list? This is, basically, what apt-check-sigs does. It checks the validity of the Packages files (which contains md5sums of individual packages) with a gpg signature. Jan
Re: Automatic Debian security updates, an Implementation
Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote: > On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: > > If people are interested enough in it, I might throw together something > > more formal. > > IMHO there is no lack of interesting ideas - what we really need are > implementations. > > apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could > also improve security significantly. Together, I'd say they'd suffice to > make the debian mirrors extremely tamper-proof. > > But apt-check-sigs is lacking nice integration into existing tools, and > debsigs doesn't really work, because packages are not signed, which is > IMHO caused by inappropriate helper tools at packaging time. > > So implementing these tools, and then changing policy to make package > signatures mandatory, seems to be the most feasible approach. > > Writing new proposals for advanced security schemes doesn't help and may > even delay implementation of working mechanismns. > > Jan
Re: Automatic Debian security updates, an Implementation
>IMHO there is no lack of interesting ideas - what we really need are >implementations. Ja. I just have to find the time. :) >apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could >also improve security significantly. Together, I'd say they'd suffice to >make the debian mirrors extremely tamper-proof. >But apt-check-sigs is lacking nice integration into existing tools, and >debsigs doesn't really work, because packages are not signed, which is >IMHO caused by inappropriate helper tools at packaging time. Hrm. I guess I'll have to check into those. >So implementing these tools, and then changing policy to make package >signatures mandatory, seems to be the most feasible approach. Making package sigs mandatory is the critical bit, IMHO. -Joseph -- [EMAIL PROTECTED] "Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser." --jonadab, in a slashdot.org comment.
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: > If people are interested enough in it, I might throw together something > more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan
Re: Automatic Debian security updates, an Implementation
>From Jan Niehusmann on Friday, 18 October, 2002: >On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: >> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not >> sufficient to keep a debian system secure and updated? >Of course, if the hacker managed to modify files on the master server, >proper signatures would automatically get generated, and apt-check-sigs >had no chance to detect these modifications. Still, checking signatures >provides one more line of defense. I've been thinking up a new, more secure way of doing apt. (Actually, it's a modification of the current system.) It kind of has two levels, one trusting apt's integrity, and the second would be a very paranoid system, which requires more hardware knowledge (smartcard-like businesses) than I currently possess. If people are interested enough in it, I might throw together something more formal. -Joseph -- [EMAIL PROTECTED] "Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser." --jonadab, in a slashdot.org comment.
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote: > Why can't apt-get be modified to check the md5sum of a package against an > official debian md5sum list before downloading and installing debs? This > seems much simpler and easier than signing debs. It does. The problem is, how to get an official debian md5sum list? This is, basically, what apt-check-sigs does. It checks the validity of the Packages files (which contains md5sums of individual packages) with a gpg signature. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs. On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote: > On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: > > If people are interested enough in it, I might throw together something > > more formal. > > IMHO there is no lack of interesting ideas - what we really need are > implementations. > > apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could > also improve security significantly. Together, I'd say they'd suffice to > make the debian mirrors extremely tamper-proof. > > But apt-check-sigs is lacking nice integration into existing tools, and > debsigs doesn't really work, because packages are not signed, which is > IMHO caused by inappropriate helper tools at packaging time. > > So implementing these tools, and then changing policy to make package > signatures mandatory, seems to be the most feasible approach. > > Writing new proposals for advanced security schemes doesn't help and may > even delay implementation of working mechanismns. > > Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
>IMHO there is no lack of interesting ideas - what we really need are >implementations. Ja. I just have to find the time. :) >apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could >also improve security significantly. Together, I'd say they'd suffice to >make the debian mirrors extremely tamper-proof. >But apt-check-sigs is lacking nice integration into existing tools, and >debsigs doesn't really work, because packages are not signed, which is >IMHO caused by inappropriate helper tools at packaging time. Hrm. I guess I'll have to check into those. >So implementing these tools, and then changing policy to make package >signatures mandatory, seems to be the most feasible approach. Making package sigs mandatory is the critical bit, IMHO. -Joseph -- [EMAIL PROTECTED] "Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser." --jonadab, in a slashdot.org comment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote: > On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: > > I don't understand the need for this. > > > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > > sufficient to keep a debian system secure and updated? > > It'll get to you when you have 200+ debian systems spread across the > internet in different cities, timezones and administrative domains :) > Hi, You can try cron-apt package[1] and apt-check-sigs[2] to do it! Now i've twelve servers running Debian GNU/Linux and i'm using one apt-proxy[3] and aptwatcher(like cron-apt). [1] = http://packages.debian.org/cron-apt/ [2] = http://people.debian.org/~ajt/ [3] = http://apt-proxy.sourceforge.net/ Talking about secpack, is it non-free? I can't see in your mail(Clemens) the url or apt-line to get the source package. Thanks, -- Gustavo Franco -- <[EMAIL PROTECTED]> GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail.
Re: Automatic Debian security updates, an Implementation
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: > I don't understand the need for this. > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? As pointed out several times in the past Debian has not fully implemented package signing (the last I knew...someone throw a rock at me if I am wrong). So blindly updating and upgrading might be insecure if someone could spoof the Debian update server (upstream). Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include #include #include #include #include #include #include #include //os_ver="Windows 2000" os_ver="Windows XP"
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? Because a hacked mirror could contain malicious packages. When you check signatures before upgrading, you detect such intrusions. Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. Jan
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: > I don't understand the need for this. > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: Automatic Debian security updates, an Implementation
I don't understand the need for this. Can someone explain why 'apt-get update && apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote: > Hi! > > http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron > based daily security update with signature checking using a modified > version of ajt's apt-check-sigs. > > Feedback is appreciated. CC please, /me not on list. > > Regards, Clemens
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: > If people are interested enough in it, I might throw together something > more formal. IMHO there is no lack of interesting ideas - what we really need are implementations. apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could also improve security significantly. Together, I'd say they'd suffice to make the debian mirrors extremely tamper-proof. But apt-check-sigs is lacking nice integration into existing tools, and debsigs doesn't really work, because packages are not signed, which is IMHO caused by inappropriate helper tools at packaging time. So implementing these tools, and then changing policy to make package signatures mandatory, seems to be the most feasible approach. Writing new proposals for advanced security schemes doesn't help and may even delay implementation of working mechanismns. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
>From Jan Niehusmann on Friday, 18 October, 2002: >On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: >> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not >> sufficient to keep a debian system secure and updated? >Of course, if the hacker managed to modify files on the master server, >proper signatures would automatically get generated, and apt-check-sigs >had no chance to detect these modifications. Still, checking signatures >provides one more line of defense. I've been thinking up a new, more secure way of doing apt. (Actually, it's a modification of the current system.) It kind of has two levels, one trusting apt's integrity, and the second would be a very paranoid system, which requires more hardware knowledge (smartcard-like businesses) than I currently possess. If people are interested enough in it, I might throw together something more formal. -Joseph -- [EMAIL PROTECTED] "Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser." --jonadab, in a slashdot.org comment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Automatic Debian security updates, an Implementation
Hi! http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron based daily security update with signature checking using a modified version of ajt's apt-check-sigs. Feedback is appreciated. CC please, /me not on list. Regards, Clemens pgpVBkwjvCD5f.pgp Description: PGP signature
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 09:33, Mark Janssen wrote: > On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: > > I don't understand the need for this. > > > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > > sufficient to keep a debian system secure and updated? > > It'll get to you when you have 200+ debian systems spread across the > internet in different cities, timezones and administrative domains :) > Hi, You can try cron-apt package[1] and apt-check-sigs[2] to do it! Now i've twelve servers running Debian GNU/Linux and i'm using one apt-proxy[3] and aptwatcher(like cron-apt). [1] = http://packages.debian.org/cron-apt/ [2] = http://people.debian.org/~ajt/ [3] = http://apt-proxy.sourceforge.net/ Talking about secpack, is it non-free? I can't see in your mail(Clemens) the url or apt-line to get the source package. Thanks, -- Gustavo Franco -- <[EMAIL PROTECTED]> GNUpg id: 0x37155778 (try: wwwkeys.eu.pgp.net) I prefer encrypted and signed e-mail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 18 Oct 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: > I don't understand the need for this. > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? As pointed out several times in the past Debian has not fully implemented package signing (the last I knew...someone throw a rock at me if I am wrong). So blindly updating and upgrading might be insecure if someone could spoof the Debian update server (upstream). Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include #include #include #include #include #include #include #include //os_ver="Windows 2000" os_ver="Windows XP" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote: > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? Because a hacked mirror could contain malicious packages. When you check signatures before upgrading, you detect such intrusions. Of course, if the hacker managed to modify files on the master server, proper signatures would automatically get generated, and apt-check-sigs had no chance to detect these modifications. Still, checking signatures provides one more line of defense. Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: > I don't understand the need for this. > > Can someone explain why 'apt-get update && apt-get dist-upgrade' is not > sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
I don't understand the need for this. Can someone explain why 'apt-get update && apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? On Friday 18 October 2002 06:58 am, Fruhwirth Clemens wrote: > Hi! > > http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron > based daily security update with signature checking using a modified > version of ajt's apt-check-sigs. > > Feedback is appreciated. CC please, /me not on list. > > Regards, Clemens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Automatic Debian security updates, an Implementation
Hi! http://therapy.endorphin.org/secpack_0.1-1.deb implements a simple cron based daily security update with signature checking using a modified version of ajt's apt-check-sigs. Feedback is appreciated. CC please, /me not on list. Regards, Clemens msg07424/pgp0.pgp Description: PGP signature
Re: Debian Security Updates
Previously Howland, Curtis wrote: > Or are the packages under the debian-non-US directory distributed > under the other headings when grabbing from this particular server? I'm not quite sure what you mean here.. The official non-us archive is on a different machines, and always uses different pathnames. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.wiggy.net/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
RE: Debian Security Updates
Then how are the packages so stored elsewhere differentiated? Or are the packages under the debian-non-US directory distributed under the other headings when grabbing from this particular server? > Previously Aurelio Turco wrote: > > Furthermore: > > > > http://security.debian.org/debian-non-US > > > > does not appear to exist. > > security.debian.org is hosted in a non-US location and doesn't have > a seperate non-US archive. > > Wichert. >
Re: Debian Security Updates
Previously Aurelio Turco wrote: > Furthermore: > > http://security.debian.org/debian-non-US > > does not appear to exist. security.debian.org is hosted in a non-US location and doesn't have a seperate non-US archive. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.wiggy.net/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Debian Security Updates
Oops, forgive me; should have checked the archives first: http://lists.debian.org/debian-security/2000/debian-security-200010/msg00124.html Cheers. Aurelio. Aurelio Turco wrote: > > Furthermore: > > http://security.debian.org/debian-non-US > > does not appear to exist. > > This leaves me wondering whether the non-US archive > is amalgamated with the non-(non-US) archive or is > on another server altogether. > > Anyone know what is happening here?
Re: Debian Security Updates
Furthermore: http://security.debian.org/debian-non-US does not appear to exist. This leaves me wondering whether the non-US archive is amalgamated with the non-(non-US) archive or is on another server altogether. Anyone know what is happening here? Andrew Pimlott wrote: > > On Wed, Aug 07, 2002 at 03:35:44AM +, Aurelio Turco wrote: > > Debian Weekly News of 2002JUL18, > > recommended the following: > > > > deb http://security.debian.org/debian-security stable/updates > > main contrib non-free > > > > deb http://security.debian.org/debian-non-US stable/non-US > > main contrib non-free > > > > deb http://security.debian.org stable/updates > > main contrib non-free > > > > Is there really some difference between 1 and 3? > > No, even though I mailed DWN about the same error in an earlier > newsletter. I would follow the advice on > http://security.debian.org/ . DWN is often rather careless in what > they publish. > > Andrew
Re: Debian Security Updates
On Wed, Aug 07, 2002 at 03:35:44AM +, Aurelio Turco wrote: > Debian Weekly News of 2002JUL18, > recommended the following: > > deb http://security.debian.org/debian-security stable/updates > main contrib non-free > > deb http://security.debian.org/debian-non-US stable/non-US > main contrib non-free > > deb http://security.debian.org stable/updates > main contrib non-free > > Is there really some difference between 1 and 3? No, even though I mailed DWN about the same error in an earlier newsletter. I would follow the advice on http://security.debian.org/ . DWN is often rather careless in what they publish. Andrew
Debian Security Updates
Debian Weekly News of 2002JUL18, recommended the following: deb http://security.debian.org/debian-security stable/updates main contrib non-free deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free deb http://security.debian.org stable/updates main contrib non-free Is there really some difference between 1 and 3? Please reply directly as I am currently not on the list. Cheers. Aurelio.