gwdg.de contains unsigned rpms: risk of apt repository compromise?
| From: | Timur <> | |
| To: | letters-AT-lwn.net | |
| Subject: | gwdg.de contains unsigned rpms: risk of apt repository compromise? | |
| Date: | Tue, 16 Mar 2004 02:41:12 -0800 (PST) |
Dear Editor,
I found out recently that there is an increasing
number of RPMs in apt repository on gwdg.de which are
not signed. The apt repository on gwdg is very usefull
since it allows people to automagically update their
distribution with latest packages (as you reported in
one of your articles)
The lack of RPMs signature generates two issues:
a - packages cannot be installed via apt (latest
apt/apt-libs/synaptic refuse to install unsigned
RPMs): it is annoying but a minor issues since you can
always install the downloaded package via rpm -Uhv
b - potentially VERY important - we could risk a
situation similar to debian where compromised packages
(i.e. with Trojan horses) are spread on our Linux
systems
Is there any reason for having unsigned packages? Is
there the risk that our repository have been
compromise d?
Maybe I'm too paranoid, but I think it is better to
verify it... Can you eventually ask it on your weekly
document?
If there is no issue than I think that the maintainer
of those package should start to sign the RPMs once
again...
regards,
Timur
Note: if possible I would prefer that my address
doesn't appear on your magazine.
Posted Mar 18, 2004 9:27 UTC (Thu)
by hensema (guest, #980)
[Link]
There is no change in the SuSE rpms in the repository: some are signed, some are not. This has always been the case. Of course it would be preferable if all rpms were signed. I think all original SuSE rpms are signed, so if you limit yourself to base and security, you should be fine. If you want to install unsigned packages with apt (as you've always done!), you can disable the signature check by editing /etc/apt/apt.conf.d/gpg-checker.conf
The author has -- as most of us -- automatically upgraded to a version of apt which automatically checks signatures. Previous versions did not.gwdg.de contains unsigned rpms: risk of apt repository compromise?