LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Letters page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

gwdg.de contains unsigned rpms: risk of apt repository compromise?

[Posted March 17, 2004 by corbet]

From:  Timur <>
To:  letters-AT-lwn.net
Subject:  gwdg.de contains unsigned rpms: risk of apt repository compromise?
Date:  Tue, 16 Mar 2004 02:41:12 -0800 (PST)

Dear Editor,
 
I found out recently that there is an increasing
number of RPMs in apt repository on gwdg.de which are
not signed. The apt repository on gwdg is very usefull
since it allows people to automagically update their
distribution with latest packages (as you reported in
one of your articles)
 
The lack of RPMs signature generates two issues:
 
a - packages cannot be installed via apt (latest
apt/apt-libs/synaptic refuse to install unsigned
RPMs): it is annoying but a minor issues since you can
always install the downloaded package via rpm -Uhv
 
b - potentially VERY important - we could risk a
situation similar to debian where compromised packages
(i.e. with Trojan horses) are spread on our Linux
systems
 
Is there any reason for having unsigned packages? Is
there the risk that our repository have been
compromise d?
 
Maybe I'm too paranoid, but I think it is better to
verify it... Can you eventually ask it on your weekly
document?
If there is no issue than I think that the maintainer
of those package should start to sign the RPMs once
again...
 
regards,
Timur
 
Note: if possible I would prefer that my address
doesn't appear on your magazine.
 

(Log in to post comments)

gwdg.de contains unsigned rpms: risk of apt repository compromise?

Posted Mar 18, 2004 9:27 UTC (Thu) by hensema (guest, #980) [Link]

The author has -- as most of us -- automatically upgraded to a version of apt which automatically checks signatures. Previous versions did not.

There is no change in the SuSE rpms in the repository: some are signed, some are not. This has always been the case.

Of course it would be preferable if all rpms were signed. I think all original SuSE rpms are signed, so if you limit yourself to base and security, you should be fine.

If you want to install unsigned packages with apt (as you've always done!), you can disable the signature check by editing /etc/apt/apt.conf.d/gpg-checker.conf

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds