On Wed, February 18, 2009 13:31, Christoph Anton Mitterer wrote: > As apt-file loads information from the internet, I wondered: > Is secure-apt used and if not, can it be used? > > e.g. the Contents files,... are they secured by the signed Release files? > > apt-file should check this (and then depend on debian-archive-keyring), > and bail out when something doesn't verify.
I do not understand what security problem could arise that using the Release file signing could alleviate. Suppose I supplied a crafted version, what then? The Release files do not currently sign the Contents files. I cannot think of what we should gain with doing that. > In addition: It should use ONLY the secure hashes provided. Especially > MD5 is now really broken, IMHO. If for a file only MD5 was provided, > I'd consider it as invalid, as well. It seems very hard to create a md5-colliding Contents file that is still parsed by apt-file.. Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
