[linux-elitists] [RANT] Debian the Elitist Distribution?

Jim Richardson warlock@eskimo.com
Sun Feb 15 14:01:05 PST 2004


On Sun, Feb 15, 2004 at 12:36:18PM -0800, Rick Moen wrote:
>Quoting Jim Richardson (warlock@eskimo.com):
>
>> While I prefer .deb over .rpm. There are some things that RPM does
>> better, gpg signing packages for one....
>
>Are you familiar with the Release.gpg mechanism?  The buildd makes sure
>the submitted package is accompanied by a .changes file signed by a
>registered Debian developer.  Later, when the official package mirrors
>pick up the package, the Packages[.gz] file distributed with it includes
>the package's md5sum.  Each Packages[.gz] file's own md5sum is provided
>in the accompanying Release file.


Unfortunately, at the last time I checked, less than 15% of the official
Debian packages were signed appropriately. I haven't checked recently,
has that improved significantly?

>
>Release files are in turn signed by the master package-releasing
>program's gpg key, and the hash stored in Release.gpg in the same
>directory.  If you're utterly paranoid, you can configure your system
>checks _that_ signature against the debian-keyring set.
>
>I'm pretty sure all official Debian binary packages are now also
>distributed _with_ gnupg signatures, but all that minutely checking
>those would demonstrate -- if you trust your keyring -- is that the
>package was signed at some time by someone in the keyring.  It may very
>well be outdated, insecure, and exploitable.
>
>Holes like that are endemic in package-signing schemes, and are the
>single biggest reason why people who do, say, "Oh, I ran rpm -Va, so my
>system is fine" are fooling themselves.



All I really want/expect a signed package to tell me, is that the
package was signed by key XXXX, which goes a long way to assuaging my
concerns re: trojans and mitm attacks. Especially after the recent
Debian crack. 

-- 
Jim Richardson     http://www.eskimo.com/~warlock
Any time things appear to be going better, you have overlooked
something.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040215/a57226b3/attachment.pgp 


More information about the linux-elitists mailing list