[NTLUG:Discuss] Package security in Debian?

[MadHat]

At 09:53 AM 12/18/2001 -0600, brian at pongonova.net wrote:
>I was following a discussion recently in /. about how some distros are
>using PKI to ensure precompiled package security (i.e., reasonable
>assurance that a package is what it claims to be).  Having just
>installed Debian, I found no reference to any type of package
>security...choose an ftp site, and apt-get away.  Is this simply not
>an issue with Debian users, or are there ways of being reasonably
>assured a Debian mirror is carrying authentic, non-trojaned packages?

This is an issue for anyone and everyone.  Anytime you download anything, 
including source code, you are taking a chance.  It is more risky with 
precompiled binaries, since you can't dig through to see what they are 
doing, but there are ways to (painful ways).  With source, it is almost as 
bad, since many people can't read the source and those who can often don't 
take the time.

Until all packages come signed with verifiable PGP/GPG/OpenSSL 
signatures/certificates, it is a crap shoot.  Even then PKI is not perfect 
and you still have the chance of getting a corrupted key, or someone who 
has a bad key like what happened with MS with a 'accidental release' of a 
verisign cert that could be used for signing active X apps and such to make 
it look like it came from MS.

At present, look for the MD5 checksums from each distribution.  I am not 
sure how to verify with the Debian package manager.

Using RPM you can use --checksig, but this again is based on the idea you 
have the proper signature from "security at redhat.com".  It does come on the 
CDs and is available on the web, but there is still a chance of getting a 
bad sig.  Make sure you grab it form a reliable source.

But this doesn't help with any app not built by RedHat.  And checking the 
MD5 checksum doesn't help if the person building the package is the one who 
is planting the "bad stuff" in it anyway.

The world is a dangerous place.


--
MadHat at unspecific.com