[linux-elitists] [RANT] Debian the Elitist Distribution?
Mon Feb 16 00:39:23 PST 2004
Quoting Jim Richardson (firstname.lastname@example.org):
> cracking a box and inserting something nasty in the feed, is possible,
> (although it didn't happen with the Debian crack) but if said inserted
> package fails verification by dint of not being correctly signed, you
> are accordingly warned of the problem. Since the Debian key package
> signatures weren't on that machine, no signing could take place based on
> a crack of that machine.
Even if Debian key package signatures _had_ been on that machine, as
long as they were handled correctly, it's very unlikely that the
integrity of package-checking implemented via the Packages.* and
Release.* files would have been impaired. There are some single points
of failure on (if memory serves) the ftp-master host, but similar points
requiring protection exist in any and all functionally equivalent
Moreover, a number of the threat models you spoke of, such as MITM, are
effectively excluded by the existing regime.
> Again, I am not claiming that signed packages made a difference in this
> case, but that like many other aspects of security, it's another layer.
> Making it even harder for the "bad guys" to slip one by.
What I'm saying is that the packages _are_ signed. You're just not
familiar with the way this particular signing scheme is implemented.
Cheers, The cynics among us might say: "We laugh,
Rick Moen monkeyboys -- Linux IS the mainstream UNIX now!
email@example.com MuaHaHaHa!" but that would be rude. -- Jim Dennis
More information about the linux-elitists