[linux-elitists] [RANT] Debian the Elitist Distribution?
Sun Feb 15 12:36:18 PST 2004
Quoting Jim Richardson (firstname.lastname@example.org):
> While I prefer .deb over .rpm. There are some things that RPM does
> better, gpg signing packages for one....
Are you familiar with the Release.gpg mechanism? The buildd makes sure
the submitted package is accompanied by a .changes file signed by a
registered Debian developer. Later, when the official package mirrors
pick up the package, the Packages[.gz] file distributed with it includes
the package's md5sum. Each Packages[.gz] file's own md5sum is provided
in the accompanying Release file.
Release files are in turn signed by the master package-releasing
program's gpg key, and the hash stored in Release.gpg in the same
directory. If you're utterly paranoid, you can configure your system
checks _that_ signature against the debian-keyring set.
I'm pretty sure all official Debian binary packages are now also
distributed _with_ gnupg signatures, but all that minutely checking
those would demonstrate -- if you trust your keyring -- is that the
package was signed at some time by someone in the keyring. It may very
well be outdated, insecure, and exploitable.
Holes like that are endemic in package-signing schemes, and are the
single biggest reason why people who do, say, "Oh, I ran rpm -Va, so my
system is fine" are fooling themselves.
Cheers, The cynics among us might say: "We laugh,
Rick Moen monkeyboys -- Linux IS the mainstream UNIX now!
email@example.com MuaHaHaHa!" but that would be rude. -- Jim Dennis
More information about the linux-elitists