[NTLUG:Discuss] Package security in Debian?
Richard Cobbe
cobbe at airmail.net
Tue Dec 18 17:36:36 CST 2001
Lo, on Tuesday, December 18, brian at pongonova.net did write:
> I was following a discussion recently in /. about how some distros are
> using PKI to ensure precompiled package security (i.e., reasonable
> assurance that a package is what it claims to be). Having just
> installed Debian, I found no reference to any type of package
> security...choose an ftp site, and apt-get away. Is this simply not
> an issue with Debian users, or are there ways of being reasonably
> assured a Debian mirror is carrying authentic, non-trojaned packages?
This is a valid concern, and Debian does lag behind some of the other
distributions here. (I run Debian potato myself; things may have
changed in woody or sid.)
As a start, check out /var/lib/dpkg/*.md5sums. Not every package
supplies this file, but package Foo should ideally provide
/var/lib/dpkg/Foo.md5sums which contains MD5 checksums for all of Foo's
files (apparently minus configuration files).
ISTR seeing something a while back on debian-user that the Debian folks
are working to add some sort of package authentication mechanism (using
GPG, I think) to dpkg and/or apt. It's been a while since I saw this,
so I don't know the status of this effort. It may have already been
implemented; since I run potato, I'm somewhat behind the cutting edge of
the Debian packaging tools.
I'm fairly certain that it's now a requirement that all packages include
.md5sums files, but this was introduced after potato was released.
Incidentally, MadHat's point about getting the correct
security at redhat.com GPG public key applies, so far as I can tell, to any
PKI-based authentication system and key distribution mechanism.
Richard
More information about the Discuss
mailing list