[linux-elitists] [RANT] Debian the Elitist Distribution?

Rick Moen rick@linuxmafia.com
Sun Feb 15 12:36:18 PST 2004

Quoting Jim Richardson (warlock@eskimo.com):

> While I prefer .deb over .rpm. There are some things that RPM does
> better, gpg signing packages for one....

Are you familiar with the Release.gpg mechanism?  The buildd makes sure
the submitted package is accompanied by a .changes file signed by a
registered Debian developer.  Later, when the official package mirrors
pick up the package, the Packages[.gz] file distributed with it includes
the package's md5sum.  Each Packages[.gz] file's own md5sum is provided
in the accompanying Release file.

Release files are in turn signed by the master package-releasing
program's gpg key, and the hash stored in Release.gpg in the same
directory.  If you're utterly paranoid, you can configure your system
checks _that_ signature against the debian-keyring set.

I'm pretty sure all official Debian binary packages are now also
distributed _with_ gnupg signatures, but all that minutely checking
those would demonstrate -- if you trust your keyring -- is that the
package was signed at some time by someone in the keyring.  It may very
well be outdated, insecure, and exploitable.

Holes like that are endemic in package-signing schemes, and are the
single biggest reason why people who do, say, "Oh, I ran rpm -Va, so my
system is fine" are fooling themselves.

Cheers,                   The cynics among us might say:   "We laugh, 
Rick Moen                 monkeyboys -- Linux IS the mainstream UNIX now!
rick@linuxmafia.com       MuaHaHaHa!" but that would be rude. -- Jim Dennis

More information about the linux-elitists mailing list