Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

To: debian-devel@lists.debian.org
Subject: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
From: Paul Wise <pabs@debian.org>
Date: Fri, 2 Jul 2021 01:24:09 +0000
Message-id: <[🔎] CAKTje6ELZjGifqh9tZGrvP2bfOVZo-awPqbP0AHVA=e6XVvpqA@mail.gmail.com>
In-reply-to: <[🔎] 20210701132733.jjn6xe4sh3u5lixs@yuggoth.org>
References: <162513538088.3116037.16931305603726561033.reportbug@energija.fam-tille.de> <[🔎] 20210701115122.GO10939@an3as.eu> <[🔎] 20210701135709.GA2393500@debian.org> <[🔎] 20210701121817.GQ10939@an3as.eu> <[🔎] 20210701141910.GA2418829@debian.org> <[🔎] 4ddba78b-c3cc-9431-0a2f-c1a57b70dd8b@kitware.com> <[🔎] 20210701132733.jjn6xe4sh3u5lixs@yuggoth.org>

On Thu, Jul 1, 2021 at 1:27 PM Jeremy Stanley wrote:

> There's nothing especially wrong about using signed-by, but
> it's not the security fix some people seem to believe. In short,
> *any* package you install can run arbitrary commands as the root
> user on your system during installation. Only ever install packages
> from sources you implicitly trust, since the people who control
> those packages also essentially control your system.

For sophisticated users it isn't very hard to verify that packages
don't do anything malicious as root. `apt install --download-only`,
`dpkg-deb --raw-extract`, read the maintainer scripts and check which
files are installed into the package. Often running the installed
software as a separate user will be good enough isolation for the user
parts. For anything more isolated than that you probably want to use
containment solutions (such as QubesOS, or Flatpak or VMs), probably
generated from Debian binary packages for the security support and
other advantages provided.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Arne Pisch <old_man999@gmx.de>

References:
- I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Julian Andres Klode <jak@debian.org>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Julian Andres Klode <jak@debian.org>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Work-needing packages report for Jul 2, 2021
Next by Date: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Previous by thread: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Next by thread: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Index(es):
- Date
- Thread