On Sunday 06 February 2005 06:51 pm, Sam Morris wrote: > Daniel Burrows wrote: > > [snip] > > Having purged and reinstalled mplayer-nogui, aptitude in TUI mode does > indeed warn me that doing so could compromise my system. Hurrah! :) > > > Also, reinstalling packages never needs to show a warning, because you're > > always installing the same package you already have installed (and which > > was presumably verified to your satisfaction). > > Hm, this is true. But let's assume for a minute that Marillat's > repository was broken into today, and an attacker replaced the > mplayer_1.0-pre6-sarge0.1_i386.deb that was already there, with with a > rebuilt one containing some evil code. > > Now, I installed mplayer-nogui a few weeks ago, when I was able to > verify the repository contents. But today when I asked aptitude to > reinstall the package today, no warning was given--even though the .deb > it subsequently installed could not be verified. > > Of course it's possible that aptitude does some checking that the deb it > downloaded has the the same contents as the one that was installed a few > weeks ago--if this is so then there is no bug. :)
Yeah, I thought about this after I sent the message :-P I was ass-u-ming that apt would keep track of the MD5Sum of the .deb that was actually installed, and treat the evil hacked version as a separate version -- ie, the currently installed .deb would be trusted, and the new one wouldn't. On second thought, though, that may not be the case. > > One thing I don't know is what will happen if a repository that was > > previously secure loses its signature -- I believe that when this > > happened to the Debian archive, I got a warning dialog about everything > > that I was trying to upgrade, but I may be misremembering now. It would > > be (colloquially) a serious bug if that was treated as an upgrade from > > insecure versions to insecure versions. > > I believe this is what has happened to me, except that I was > reinstalling the same package rather than updating. Yes, but I believe it's a different code path, so it's possible that this will work even if reinstalling doesn't. It depends on whether apt keeps track of the fact that the current version of a package was originally trusted, even if the source it came from isn't trusted any more. > I have a further question: what happens if I installed a package from an > unverified repository, that some time later became signed by its > maintainer, and then I upgraded a package that resulted in a verified > version being installed, and then later _again_, the repository > signature went away? Actually, I suppose it wouldn't matter because 1) > I'm unlikely to have the signing key randomly imported into apt-key, and > 2) I asked for the package to be installed when it was not verifiable in > the first place. If the verified version is installed, I would hope that you would get a warning next time you upgraded. As I said, I need to check apt's actual behavior in this regard. Either way, I can definitely see the value in having an option to always see the warning whenever you install an untrusted package. The main reason that doesn't happen right now is that I can see it becoming a thing where people get into the habit of ignoring the warnings. Daniel -- /------------------- Daniel Burrows <[EMAIL PROTECTED]> ------------------\ | "Witches and pickles went together like...she hesitated at | | the stomach-curdling addition of peaches and cream, and | | mentally substituted 'things that went together very well'" | | -- Terry Pratchett | \--- Be like the kid in the movie! Play chess! -- http://www.uschess.org --/
pgpRqVHAmyxt7.pgp
Description: PGP signature
