23:02 UTC

add comment

Security Issues of Auto-upgrades
by jeff covey, in Editorials - Sat, May 13th 2000 23:59 UTC

Package managers with download capabilities make it easy to download and install the latest software releases, bugfixes, and security patches. Could they also make it easy to download and install the latest exploits without your knowing about it? In today's editorial, I put that question to representatives of Red Hat and Debian, makers of the two most widely-used Linux package management systems.

Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly.

apt-get install trojan

Users of certain other operating systems upgrade the software on their machines every few years (95, 98, 2000...). When you deal with software that moves at Open Source speeds and have a powerful package manager at your disposal, you can get in the habit of updating your system every morning while you sip the first cup of coffee. It's certainly convenient to be able to say "Grab anything new and install it for me", but do you know what procedures are place to ensure that you get what you were expecting and not an unwelcome surprise?

Today, I offer the results of an email discussion about package management security issues that I had with Jason Gunthorpe of Debian and Jeff Johnson of Red Hat.

Jeff Covey: The popularity of apt and rpm has led to a large number of users relying on automatic upgrades through their package management systems. Old timers who insist on compiling everything from source can be understandably concerned about the process of downloading a binary and installing it with minimal admin intervention. The convenience is bought at the price of trust in the system. How would you answer the following questions? Do you agree or disagree that the concerns they express are valid? If they are valid and are not currently addressed, do you have any ideas about how the problems could be fixed?

Jason Gunthorpe (Debian): It depends who is expressing them :> If the 'old timers' use source packages with signature files and check those signatures, then they are pretty safe. If they audit all the source code they hand compile, then they are pretty safe. But if they just download random .tars and compile them without even looking, they are no better off than we are, possibly worse off.

Jeff Covey: What facilities does your package manager (or a third party add-on such as autorpm) provide for automatic upgrading of installed packages?

Jason Gunthorpe (Debian): APT! :>

Jeff Johnson (Red Hat): rpm (and all package managers based on rpmlib) depend on ordering based on epoch:version-release comparison in order to identify the "newer" of two instances of a package with the same name.
[Jeff Covey: What I meant was: Does Red Hat provide the ability for a user to issue a command that says, "Go get any new versions of the software I have installed, and install them for me" as Debian does with APT, or can this only be done with third-party tools such as autorpm?
Jeff Johnson (Red Hat): RPM has some rudimentary support for FTP and HTTP transfers, but does not try to download anything other than what was requested. Neither does dpkg, which is a closer analogue to rpm than APT.
Closer to APT in functionality is the Red Hat up2date package, which does dependency resolution using HTTP POSTs and is able to augment an update request with other packages that will be needed to complete an upgrade.]

Jeff Covey: Who controls the package archives from which new packages are downloaded? If it's possible for third party archives to be used, does your package manager warn the user that packages are being downloaded from somewhere other than the official source?

Jason Gunthorpe (Debian): The user has choice here. Our default setup uses our top level 'official' mirrors. If third party archives are used, they would have to be manually configured by the user. No special warnings are given for these sources.

Jeff Johnson (Red Hat): Um, not applicable, as Red Hat packages are often the "official source".
[Jeff Covey: Red Hat only provides a limited subset of the software available in the RPM format. On http://www.rpmfind.net/linux/RPM/ , users will find all of these archives in addition to Red Hat versions and updates:
PowerTools
Perl CPAN
RedHat Contrib Net
Gnome Desktop Environment
Libc6 Contribs
Libc5 RedHat Contribs
Arch Independent RedHat Contribs
No Sources RedHat Contribs
RawHide
Conectiva Linux
HelixCode Gnome distribs
Mandrake
Mandrake Cooker
XBF X-Windows servers
SuSE
Linux/PPC
Yellow Dog PPC
OpenLinux
Caldera Contribs
TurboLinux
Archives for blind users
DLD
UltraPenguin
SGIlinux
LinuxM68k
Freshmeat
Coda
Beowulf
RPM.Org
Stuff on Rufus.W3.Org
Solaris packages on Real-Time.Com
RPMs for Cygwin32/Windows
and many of these have multiple subdivisions.
Jeff Johnson (Red Hat): Um, almost all, if not all, binary software distributed by Red Hat (I do not speak about Cygnus, yet) is in rpm package format with signatures. Perhaps by "Red Hat" you mean "Red Hat Distribution"? Or do you mean that ftp.redhat.com has not just Red Hat software?
Jeff Covey: It seems you're reading what you want to see instead of what I wrote. I said that Red Hat's RPMs make up only a subset of the software which is available in RPM packages, and that people will therefore be, of necessity, downloading RPMs from sources other than you, possibly overwriting your own packages, and I was asking whether issues of security related to this are taken into account in RPM's design.
Jeff Johnson (Red Hat): I was confused by your rpmfind output, as you choose to, for example, include Red Hat Power Tools as a separate entity even though those are packages produced by Red Hat. Furthermore, many (but not all) of the rpmfind categories (e.g. Mandrake, LinuxPPC come to mind) that you chose to distinguish are closely related to Red Hat packages -- in fact, often *are* Red Hat source packages except for signatures or lack thereof -- that have been rebuilt and/or redistributed for other architectures and other purposes. I can speak meaningfully only about packages produced by Red Hat, not derivative works.
Addressing issues of heterogeneous mixtures of "You pick 'em" package installation is a difficult problem that will require administrative superstructure and standards development in order to be solved meaningfully, and none of that process is complete (although it has been started).
Jeff Covey: The question I was asking was: Since you obviously can't verify the thousands of RPM files packaged by all of these distributions and individuals, does rpm provide a warning like "This package has not been prepared by Red Hat. While it's probably fine, we cannot confirm that it will work with your system. Continue installation? [Y/n]"?
Jeff Johnson (Red Hat): The goal of rpm (and tools that use rpmlib, including the Red Hat installer), by design, is to not prevent unattended installs and automatic updates by blocking on user interaction. Please note that in the example above there is little information ("Not packaged by Red Hat") that is helpful in or pertinent to answering the question "Continue installation? [Y/n]". Therefore, rpm (and the Red Hat installer) do not ask these questions during package install.
This doesn't mean that better policy (e.g. "Install only packages from Red Hat") tools aren't needed or useful, just that rpm (and the Red Hat installer) is not where the implementation should be.
Again, the Red Hat up2date agent currently implements certain install policies (but not the example above) like "Don't permit /bin/sh to be replaced" or "Don't upgrade the kernel package".
Jason Gunthorpe (Debian): One thing I hear often about .debs is that [since] we basically are the only provider (particularly of the base system), all .debs 'work' with your system.]

Jeff Covey: Does your package manager support digital signatures that can confirm that the package is from the packager it claims to be from and has not been tampered with?

Jason Gunthorpe (Debian): No. This is a very tricky topic given Debian's distributed nature.

Jeff Johnson (Red Hat): rpm supports header/payload signatures using md5 as well as all algorithms implemented in either pgp/pgp5/gpg (e.g. RSA, DSS, Diffie-Hellman, ...).

Jeff Covey: Are there procedures in place to check for trojans/virii/etc. in the original source package?

Jason Gunthorpe (Debian): Depending on which maintainer you talk to, yes or no. Some packages are inspected carefully, some are not.

Jeff Johnson (Red Hat): Checking for trojans/virii in sources is outside rpm's abilities and is solely the responsibility of the packager.

Jeff Covey: Are there procedures in place to check for trojans/virii/etc. in the package itself (for example, in the scripts used to install the package)?

Jason Gunthorpe (Debian): I don't think we have an official program for this. People do look occasionally, I'm sure.

Jeff Johnson (Red Hat): Signed rpm packages cannot be altered without being able to detect the alteration. The scripts are part of the header, which is signed, and so cannot be altered without being able to detect the change.

Jeff Covey: I'm not asking about them being altered after the fact; I'm just confirming that a procedure is in place to double-check the official signed packages to confirm that, for example, a disgruntled employee on his last day of work doesn't add "/bin/rm -rf /" to the preinstall script of the binutils package and place it in the errata FTP space.
(Debian folks: This is even more of a question for you, since you're accepting packages from people from all over, who may only have their reputations, not their jobs and the threat of prosecution, hanging over them and keeping them in line.)

Jeff Johnson (Red Hat): Part of Red Hat QA involves repeated installs of packages before and after signing that would easily detect the example you have given. Red Hat also does not release unsigned packages as errata, and there is sufficient process in place that no single employee, disgruntled or otherwise, is able to put an errata on the FTP site.
There are, of course, time bombs, viruses, and many other forms of damage more sophisticated than your example, and more generally, Red Hat, like many distributions, relies on the scrutiny of the community at large to detect and correct problems promptly. Enhancing the ability of the community to detect and correct problems before damage becomes widespread is the single best approach to insuring the safety (and quality) of packages that I can think of.

Jason Gunthorpe (Debian): We have no official auditing of packages, but before we make a stable release, the packages are put through a lot of testing and investigation; it would be hard for a simple attack to get through. Smart Devilish attacks I think could pass into stable undetected if one of our maintainers decided to make one.
People do monitor the upload list to make sure that the 'right people' are uploading the 'right packages', which tends to defuse the worst things (like libc6 trojans, etc.).
Actually, we go through a fairly intensive ID process before we accept a package from anyone. If someone does decide to do something nasty, we will know exactly who it was, and depending on local laws, they may face prosecution. Look at http://www.debian.org/devel/join/nm-checklist; it has some information about this process.

Jeff Covey: If someone were to sneak a trojan into a package, it could spread to thousands of machines overnight as admins performed automated upgrades on their systems. If this were to happen, would it be possible for you to prepare a package that would fix the problem on the next dist-upgrade (not everyone reads security bulletins, so not everyone will be aware that she's been compromised)?

Jason Gunthorpe (Debian): Yes, barring the point below.

Jeff Johnson (Red Hat): Um, yes, as Red Hat releases security errata as quickly as possible, and these updates are copied to mirror sites and up2date servers as part of the process of releasing an errata.

Jeff Covey: The answer to the previous question is naturally somewhat dependent on the nature of the trojan. As a worst case scenario: Is it possible for someone to insert a trojan into your upgrade stream which would disable your package upgrade system on the client side, making it impossible for you to distribute a fix through the normal method?

Jason Gunthorpe (Debian): Yeap. The packages install with root privilege; a well-written trojan can do anything.

Jeff Johnson (Red Hat): Signed rpm packages cannot be used as a vector for trojan horses (assuming the installer checks the signature).

Jeff Covey: Let's say Joe Packager uploads a new package of sendmail to a contrib directory. Jane User runs her automatic update script. It sees that she has sendmail installed, spots Joe's package, and offers to install it for her. Jane checks the signature. Yes, it's from Joe and has not been tampered with, so she installs it.
A couple of days later, someone notices that sendmail has been altered in this package to silently send copies of all mail to Joe and all his friends. You put out warnings about it and distribute a package with a version number higher than Joe's, so those people (like Jane) who don't bother to read security lists will at least get the fix when they run their update scripts.
Unfortunately, Joe's package also did something else: It replaced /bin/rpm with a version that will not install any version of sendmail or RPM other than Joe's. It will pretend to install your replacement, but won't actually do it, so Jane will never know that her system's been compromised.
[Jason Gunthorpe (Debian): Unless you sandbox the install scripts, this is impossible to prevent :<]
You might say this really isn't your problem, because if people want to be safe, they shouldn't install any packages that don't come from you, but it isn't reasonable to expect that, since there's a lot of software people want that Red Hat doesn't package (otherwise, Mandrake, etc. wouldn't exist). People *are* going to be getting their RPMs from other places.
[Jeff Johnson (Red Hat): Um, I question whether the example above illustrates anything but

"Joe is a dangerous moron"
"Jane is too trusting"
"Thank God someone noticed"
"People are going to do whatever they want"
so a specifically informed reply is difficult.]
Would you consider either of these valid solutions to the problem?:

Informing users when they're about to install a package that didn't come from you.
[Jeff Johnson (Red Hat): Presenting repeated yes/no questions to users usually leads to simple carriage return answers to accept the default. That isn't exactly "informing users" in anything other than a (possible) legal sense.
Not valid.]
Making certain core files untouchable by non-Red Hat packages, or at least providing much stronger warnings like "WARNING! This package, which is not an official Red Hat package, wishes to overwrite /bin/sh, which is a protected Red Hat file. This could have dangerous consequences. Proceed at your own risk, and run rpm again with --force if you really want to install this package."
[Jeff Johnson (Red Hat): Attempting to make files unremovable makes the package manager (rather than the end user) apparently responsible for the end user's safety, and, like shouting "WOLF! ..." too often or mistakenly, lulls the end user into a false sense of security. Adding "Proceed at your own risk" would keep the lawyers happy I'm sure, but would do little to protect the end user. Instrumenting overrides like "--force" is necessary for many reasons, but the functionality is more often abused than used correctly.
Not valid.]

Do you have any other ideas about what could be done?
[Jeff Johnson (Red Hat): Yes, but judging from the types of examples and questions you are asking, I don't believe that this is the correct forum to present other ideas.]

Jeff Covey: If the answer to the previous question [whether a trojan could disable the update stream] is "yes", do you think it would be beneficial to establish a class of protected packages which can only be upgraded with packages that come signed by you?

Jason Gunthorpe (Debian): This would not really help prevent the attack above; you can always use some trivial package to modify the files of an important one.

Jeff Johnson (Red Hat): Implementing better install policies based on explicitly verifying signatures is in everyone's interest.

Jason Gunthorpe (Debian): I think given what Jeff [Johnson of Red Hat] said, I'd just like to mention basically the key point in the list thread I mentioned. [See References.]
Red Hat has a single (hopefully) well-secured signing key that can only be used for packages that they produce in house. This is feasible for them because their development is concentrated in one physical location, and they don't have the constantly-changing archive like we do
Debian has a similar key kept by the Security Team, but it is infeasible to sign every official package that is created with this key, particularly since there are hundreds of new packages produced every single day. (Though we have been talking about signing full releases with this key.)
So, in the Debian situation, the next logical option is to use the maintainer's personal key for signatures. This brings up the really interesting question of 'who should sign a package'. With some 500 signing keys, the security of the whole scheme is in question. It is entirely possible to trojan an important package like libc using the most weakly secured key out of the 500.
This same problem can be applied to upstream source packages, too. If someone downloads a package, he can check the signature, but he also has to *check the key*.
The main point here is that just slapping a signature on packages does not necessarily make them as safe as the cryptosystem being used, or any safer than not having a signature.

References

Jeff Covey received his degree in classical guitar performance but spent so much time with his computer that he fell in with a bad crowd and ended up working for Andover.net. He currently works on freshmeat and runs a computer lab for the kids in his neighborhood in his spare time.
http://pobox.com/~jeff.covey
jeff.covey@freshmeat.net

T-Shirts and Fame!

We're eager to find people interested in writing editorials on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an editorial gets a freshmeat t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let jeff.covey@freshmeat.net know what you'd like to write about.

[Comments are disabled]

Referenced categories

Topic :: Security

Referenced projects

AutoRPM - An RPM auto-installer and/or FTP mirrorer.
Debian GNU/Linux - The Universal Operating System.
dpkg - A package maintenance system for Debian GNU/Linux.
Red Hat Linux - The Red Hat Linux distribution.
RPM - The RPM package management system.

Comments

[»] Yet another automated distribution system
by James Mitchell - May 15th 2000 19:53:13

AT&T/Bell Labs/Lucent has had an internal automatic distribution system for some time. A variation on the current version was detailed in a September 1998 Dr. Dobbs article titled "NSBD and Automatic Software Distribution", or http://www.bell-labs.com/project/nsbd/nsbdpaper1.html.

The solution to the problem of signed packages in a distributed development environment is for the central administrators to sign the public keys of the developers, and distributing them to the users, along with a signed list of packages that the developer has the right to distribute. This does not mean the package may not contain malware, but it does certify that the person who built the package had a right to do so.

More significantly here is to not do anything as root. This may render it useless for updating core parts of the environment, but a bit of creativity could, I suspect, at least nearly surmount this. The only program which must run in the context of this user is the automatic update program, which fetches modified files.

No untrusted program is ever run here in a context (other than by a careless root user) where it can possibly modify any system-wider resources. Further all files can be audited against a signed database of checksums, which highlights any discrepancies. This does remove the posibility of the usual pre and post install scripts, but in most circumstances this can be surmounted.

NSBD dosen't solve the problem that RedHat and Debian are trying to solve, updating 100% of the system without user intervention. It does solve 90% though, updating all non-suid/non-sgid programs without intervention, and requiring user intervention for the others. By lowering it sights slightly, it is able to acomplish this without the breathtaking security implications that rpm and dpkg have.

Further information is available at http://www.bell-labs.com/project/nsbd

[reply] [top]

[»] Yup
by Waldo Jaquith - May 14th 2000 22:33:01

I just want to point out that there's an auto-updater that wasn't mentioned in the discussion: yup, put out by Yellow Dog Linux. While it doesn't help with any of the problems discussed here, I feel I should at least point out that it exists. :)

[reply] [top]

[»] A couple of responses to other comments.
by Matthew Miller - May 14th 2000 21:43:49

First, why upgrade so often? Simple: to keep up to date with security issues. Not that there's necessarily one of these every week, let alone every night, but when one does come out, it's nice to have the fix applied as soon as possible.

Second, how could /bin/rpm be replaced by a different package? Simple. It's not done via the normal install-a-file mechanism of package manager -- instead, it's copied into place by a script.

[reply] [top]

[»] Re: Inspecting .deb files with ar
by Capt. James T. Kirk - May 14th 2000 01:58:05

The next time you're starved for amusement (or worried that there might be a Trojan in your .deb), read the man page for 'ar' and play around unpacking a .deb with it to inspect the contents...

The command is ar -x PACKAGENAME

You could also try dpkg -x PACKAGENAME OUTPUTDIR which is likely to work even when the deb format changes, as I assume at sometime in the future it will. Not using bzip2 for these packages is silly, it would cut down package size and bandwidth requirements at the cost of a few extra cycles on local machines. Anyone know what compression/archiver redhat uses? I seem to recall using cpio and gzip (?) maybe.

[reply] [top]

[»] Inspecting .deb files with ar
by Bdale Garbee - May 14th 2000 01:27:29

The .deb format had as an explicit design criteria that it be possible to unpack and inspect a .deb without needing to trust any binary tools not already on your system. Back then, very few systems ran either Debian or Redhat, so even the package mangement tool started out as something you might want to inspect before installation.

The next time you're starved for amusement (or worried that there might be a Trojan in your .deb), read the man page for 'ar' and play around unpacking a .deb with it to inspect the contents...

[reply] [top]

[»] Reputations
by Bdale Garbee - May 14th 2000 01:17:55

As someone who has worked on Debian for a long time, I find Jeff's implication that Debian developers might act less responsibly because they "may only have their reputations, not their jobs" on the line... intriguing.

I don't think I'm alone in saying that I care an awful lot more about my reputation than I do about my job. In fact, my experience is that people who do things because they are passionate about them are far more likely to "get it right" than people working for a paycheck.

[reply] [top]

[»] Re: Assume the packages are hostile... ( above )
by Capt. James T. Kirk - May 13th 2000 21:55:10

You make some good, if not paraniod points

That said, things like dpkg --listfiles should help somewhat here. See what's going to happen before you install a package if you don't trust it. Some kind of option to show the actions which would be performed would also be good (like make -n). This does not help if you are doing huge automated upgrades, but it would help if you are installing third party packages on a system you need to know is secure.

Note: dpkg --listfiles is only for already installed packages, you should use dpkg --contents PACKAGENAME.deb instead if the package is not already installed

The real problem will relying on this is that both RPMs and debs have install scripts which you cannot examine will out opening the package ( which is no big deal, but far less convenient ). If I really wanted to write a trojan I'd put the file corruption/replacement stuff in the script and then after the package is installed I'd replace the script with a blank file or innocous script, covering my tracks. This would also prevent RPM/dpkg/apt from complaining that I was relpacing a file owned by another package.

[reply] [top]

[»] Apt and conflicting packages/files
by Capt. James T. Kirk - May 13th 2000 21:36:13

This portion confuses me:

Unfortunately, Joe's package also did something else: It replaced /bin/rpm with a version that will not install any version of sendmail or RPM other than Joe's. It will pretend to install your replacement, but won't actually do it, so Jane will never know that her system's been compromised.

As anyone familiar with apt would know that when Jane attempted to install this bogus package with dpkg or apt they would complain that /bin/rpm is already owned by the package 'rpm' ( if installed ). This hopefully will seem suspicous enough to jane she won't force it to install.

On a second note, I can't wait for apt to contain a list of developers gnupg keys and automagically check while downloading packages.

[reply] [top]

[»] security of Linux distributions
by Joris van der Hoeven - May 13th 2000 18:30:31

Just another question: I do not upgrade my system every day and basically reinstall a new linux system each time a buy a new computer together with a few packages I download from the web. 1. What is actually the risk that a linux distribution on CD is infected? 2. If some packages are infected, what is the risk that some deamons, which are run in the background by default, are infected? If this risk is minimal, then bad surprises will not be likely if you only use a restricted number of programs in which you ``trust''.

[reply] [top]

[»] Assume the packages are hostile...
by Andy Longton - May 13th 2000 09:50:21

It is an axiom that lack of physical security equals no security...but that's basically what we're up against these days.

With pervasive networking, we can't assume that there's any difference between having our hands on the only key to a locked room and leaving the door unlocked. Sure, we would protect the cabling and the ability of someone to either walk off with a box or some other equipment...but the data can be compromosed in either case. That it can be more easily compromised if the room isn't locked is no longer a given.

If you're using any kind of automatic package update system, you have to assume that the packages could do some uninteneded dammage. This could be because of a trojan/virus/mole/..., unintended configuration issues, or just bad/incompatible code.

The results could be very similar, though admitedly an intentionally hostile package would likely do the most dammage since it could compromise the security of the system.

After reading the LIDS mailing list -- www.lids.org -- and considering the possibilities for intrusion, I've come to a few conclusions on how to deal with hostile packages and users or even administrators who want -- out of ignorance or intent -- to change the system in hazzardous ways.

Keep in mind that I'm recommending these types of changes for all systems, not just the firewall or some sensitive equipment stored in the server rooms. Additionally, not all the tools needed to perform these tasks are robust enough at this time, but many are comming along.

Allow no modules to load after a specific point in init. Establish networking and login support only after this point.
Trust nobody, lock it all down; Strip most of the capabilities from all user accounts that don't explicitly require them, including root. This includes but is not limited to running specific programs, modifying specific directories/files, and using symlinks and other handy features normally available to daemons/wheel/root accounts.
Require switching to single user mode to perform changes in the above two. (Everyone, go ahead and shout about this...it is an issue!)
Require all daemons to both be installed and run in a seperate environment similar to FreeBSD 4.0's jail() or -- potentially -- User Mode Linux when it becomes robust enough for the task. The idea is to allow an errant/hostile program to only do dammage in it's own area...and then monitor it to see if it does have problems. Killing it or reinitializing it would be fairly easy, causing minimal down time for most services.
Provide a mechanism -- such as a journaling file system or aggressive backups -- that can back out specific changes, undoing most/all of the dammage caused when it occurs.

Now, I realize that this is a colossal pain in the ass to administer, but steps like these would eliminate the need to vainly try and repair dammage to files, or to resort to backups from yesterday. The procedures/policies and scripts to make this practical or even easy still have to be created...and those aren't trivial either.

I doubt that any current OS will lack these types of features in 10 years.

[reply] [top]

[»] Why do you need to upgrade everything that often?
by B!nej - May 13th 2000 08:44:08

It seems to me that updating a system every day (or even every week) is a good way to ensure you have an unstable system you can never get work done on. People who are using their systems for real work probably have better things to do than starting automatic upgrades that never change that much anyway. I can think of better uses for bandwidth too.

Compared to doing a full system upgrade to get the latest stuff, isn't it better, faster and easier to simply get the software you need, compile it in a spare user account, use make -n install to ensure it doesn't do anything too rude, then install?

[reply] [top]

[»] Great Discussion!
by dirac - May 13th 2000 03:08:05

Hey, that was an excellent discussion about the dangers of trusting automatic binary updates/installs. Given the way that the Linux software distribution method is in effect at this time, I wonder about things like this - why don't we have trojan horses and virii to the extant that we possibly could? In truth, I believe it has to do with the way that the Linux system is designed and the way that software is distributed. In fact, I have noticed that in most cases, people who code Linux software are rather outspoken about their work, making web-pages and such to describe it - this makes them more than just faceless coders. The community, and the ethic of Linux itself, seem to be the main reasons why we do not have the kind of problems that Windows has.

However, if Linux did have these kind of problems, I do not doubt for a second that these "automagic" install methods would be targetted. It is wonderful that we have the trust that we have here - but maybe all the distros should start looking into some security, for peace of mind, of course. :)

[reply] [top]

[»] Debian keys
by Andrew Clausen - May 13th 2000 03:04:03

Would it be possible to have a master key stored on some
well secured machine that maintainers have access to?

So you could do something like:

ssh maintainers-account@sign.debian.org
$ debsign PACKAGE

debsign being setuid, so it can read /etc/debian.private-key

Perhaps a database could be kept, saying which packages each
maintainer is allowed to sign.

[reply] [top]