Signing Packages.gz

To: debian-devel@lists.debian.org
Subject: Signing Packages.gz
From: Chris Frey <cdfrey@foursquare.net>
Date: Fri, 24 Mar 2000 12:47:42 -0500
Message-id: <[🔎] 20000324124741.F30466@foursquare.net>

Hi,

To my understanding the package process is fairly secure on the incoming
side of Debian's package managment system.  Maintainers sign their uploads
which prevents a man-in-the-middle attack.

These packages are then checksumed in Packages.gz, but nowhere is that
file signed, that I know of.  This opens up the users to an ftp
man-in-the-middle attack during the upgrade process.

The only way a user can currently be sure he has a system from the
code the maintainers use is to compile all the packages himself (I'm
speaking from a truly paranoid security standpoint here :) ), since
the *dsc files are signed.

So my question is, what are your thoughts on adding a signature to the
current Packages.gz file, or adding a similar *dsc file for it,
which is then signed?  Are there any reasons why this hasn't been done yet
besides the obvious "nobody has time"? :-)

Thanks.  Please CC me on replies, since I'm not on the list.
- Chris

-- 
-------------------------------------------
"Chase the dream, not the competition."
     - motto of the Nemesis Air Racing Team

Reply to:

Follow-Ups:
- Re: Signing Packages.gz
  - From: Robert Bihlmeyer <robbe@orcus.priv.at>

Prev by Date: Re: Release-critical Bugreport for March 24, 2000
Next by Date: Re: blue on black is unreadable
Previous by thread: ITP: libsafe-hole-perl
Next by thread: Re: Signing Packages.gz
Index(es):
- Date
- Thread