Re: Crypto signing of packages

To: Debian developers list <debian-devel@lists.debian.org>
Subject: Re: Crypto signing of packages
From: Stuart Lamble <lamble@yoyo.cc.monash.edu.au>
Date: Wed, 19 Feb 97 12:48:55 +1100
Message-id: <[🔎] 199702190148.MAA20032@aurora.cc.monash.edu.au>
In-reply-to: Message from richard@a42.deep-thought.org of 97-Feb-19 3:38:18, <[🔎] m0vwsYc-0024vzC@a42.deep-thought.org>

Richard Jones <richard@a42.deep-thought.org> wrote:
>I don't even think maintainer key compromise is the most likely route of 
>trojans,  just as effective would be to compromise the maintainers machine,
>modifying either the original source on which the maintainer depends on for 
>building the debian package or the patch to that source.  If the maintainer 

How? The original source is md5sum'med, and that md5sum is stored on the
Debian archive. (I'm assuming here that you're talking about second and
subsequent releases). The dinstall program will reject uploads with
incorrect md5sums (trust me, it's happened to me :-) in either the .dsc
or the .changes file.

In the Debian source, it would be seen in the patch.

'Course, this _would_ apply if you were uploading a trojan-ised -1
release..

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Crypto signing of packages
  - From: Richard Jones <richard@a42.deep-thought.org>

References:
- Re: Crypto signing of packages
  - From: Richard Jones <richard@a42.deep-thought.org>

Prev by Date: debmake: a compromise?
Next by Date: Re: Bug#7448: error in version number for 'tf'
Previous by thread: Re: Crypto signing of packages
Next by thread: Re: Crypto signing of packages
Index(es):
- Date
- Thread