Hi,The debian "DEB" files are gpg signed by debian mainteners. The list of maintainers is also maintained in a (signed) package called "debian-keyring". In theory, this means that getting root on the primary mirror will not allow you to trojan Debian machines.
I was wondering if Debian.org was hacked, how far was I as a simple user doing routinely "apt-get update" followed by "apt-get upgrade" (on the stable Debian) from getting my system Trojaned? Or as an advanced user doing the same on the unstable packages?
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.
http://www.securiteam.com
So far for the theory. In practice, I'm not sure whether the mechanism for checking these signatures is easilly installable. As such, it is likely that many, if not most, Debian installations do not, in fact, verify signatures against the debian-keyring.
Also bear in mind that anyone from this ring can, in theory, trojan the distro once they take over the servers. Then again, they can also do that anyways by trojaning their own binary. Also, we will all know who that maintainer was.
Last - a correction for Muli. While the main distro site was not broken into, the "security" and "non-us" sites were. Apparently, non of the packages were tampered with, but the actual servers holding the packages were, in fact, broken into.
-- Shachar Shemesh Open Source integration & consulting Home page & resume - http://www.shemesh.biz/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
