[olug] Redhat Versus Debian

Dave Burchell burchell at inetnebr.com
Tue Oct 17 21:52:43 UTC 2000 

Vincent says:

> I'm curious now.  Can apt-get do signature verification like rpm does?  ie..

> gpg --import /mnt/cdrom/RPM-GPG-KEY
> rpm --checksig ftp://server/wherever

No, and this is a Debian weakness.  From the April 11, 2000 Debian Weekly
News (<http://www.debian.org/News/weekly/2000/11/>):

	For a long time everyone has been aware of a basic security
	problem in Debian: packages can be changed on Debian mirrors
	and users have no way to verify that the package they download
	is the same package a developer uploaded. Two ideas have come
	up again and again as ways to make this more secure. The first
	idea is to allow for signatures inside the .deb files
	themselves, which lets one verify that a given developer built
	a package. The second is to allow for signed Packages.gz files,
	which lets one verify that the package went through the normal
	upload process.  Neither of these signatures will provide
	perfect security.  There are many holes left; for example, a
	developer's computer may be cracked and if they do not manage
	their keys wisely, their key may be compromised. In the past,
	in typical Debian fashion, we have held off doing anything
	since there was no known perfect solution.

Security Portal's review was brutal but (mostly) honest
(<http://www.securityportal.com/closet/closet20000830.html>):

  dpkg - My main beef with dpkg is the lack of package signing support.
  Unlike RPM, dpkg does not support the signing of packages with GnuPG
  or PGP. This is important, since verifying the software you are
  installing prevents people from getting you to install Trojan
  horses.

This is certainly an area in which Debian needs improvement.  However, 
you can get a CD of the distribution which _is_ signed.  Just verify the
the MD5 checksum is that of the "official" disk and you know you don't have
a trojaned package.  This does not help with updates, however.

-- 
Dave Burchell                                          40.49'N, 96.41'W
Free your mind and your software will follow.              402-467-1619
http://incolor.inetnebr.com/burchell/                  burchell at acm.org     

---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list