Package: devscripts Version: 2.10.69 Severity: wishlist It happened in the past and will happen in the future that a mirror or even the original download server for a project is hacked and minimal modified sources gets uploaded. The packager using uscan will trust usually that the sources are untouched and can be trusted.
This may be a wrong assumption and some projects provide different ways to check the integrity of downloaded files. The usual way is a *.sha1 or *.md5 file next to the actual download file. This file can easily modified by an attacker (and are currently too weak for serious security applications). This makes it unsuitable for our tests. There is still the possibility that this file is downloaded from a trusted site which is different from the site we downloaded the file from. I will not follow this path any longer due to the complexity for uscan. A more interesting approach is to make it possible to download the source tarball and a pgp/gnupg signature which is used to verify the the file. The attacker could now modify this signature too, but has not the possibility to do that with the same private key (usually - there is still the possibility that the attacker kidnapped the release manager and forced him to sign the modified tarball). So we need to ensure that only a single (or multiple) predefined keys are accepted. I don't expect uscan to implement all that in the framework in a heavily configurable manner, but to allow to add some kind of verify hook that calls an external script. This script has to receive the url which was used to download the file and the location of the downloaded file. The return value can be used to in uscan to decide if the file is ok or was modified. Here is an easy example what a maintainer defined script has to do (beside the first download which is done by uscan): $ set -e $ DOWNLOAD_URL="http://mirror.synyx.de/apache//httpd/mod_ftp/mod_ftp-0.9.6-beta.tar.gz"; $ DOWNLOADED_FILE="mod_ftp-0.9.6-beta.tar.gz" $ TMP="`mktemp -d`" $ trap 'rm -rf "$TMP"' 0 $ wget -q "$DOWNLOAD_URL" -O "$DOWNLOADED_FILE" # this should not be done by us $ wget -q "$DOWNLOAD_URL".asc -O "$TMP/sign" $ rm -f "$TMP/keys" $ gpg --batch --no-default-keyring --keyring "$TMP/keys" --recv-keys B1B96F45DFBDCCF974019235193F180AB55D9977 || true $ gpg --batch --no-default-keyring --keyring "$TMP/keys" --keyserver-options no-auto-key-retrieve --verify "$TMP/sign" "$DOWNLOADED_FILE" --- System information. --- Architecture: i386 Kernel: Linux 2.6.37-trunk-686 Debian Release: 6.0 500 testing www.debian-multimedia.org 500 testing ftp.debian.org 500 testing eeepc.debian.net 1 experimental ftp.debian.org --- Package information. --- Depends (Version) | Installed ==========================-+-============== dpkg-dev (>= 1.15.4.1) | 1.15.8.8 perl | 5.10.1-17 libc6 (>= 2.1.3) | 2.11.2-7 Recommends (Version) | Installed =======================================-+-=========== at | curl | 7.21.0-1 OR wget | 1.12-2.1 dctrl-tools | 2.14.5 debian-keyring | 2010.12.29 debian-maintainers | dput | 0.9.6.1 OR dupload | equivs | 2.0.8 fakeroot | 1.14.4-1 gnupg | 1.4.10-4 libauthen-sasl-perl | 2.1500-1 libcrypt-ssleay-perl | 0.57-2 libparse-debcontrol-perl | 2.005-2 libsoap-lite-perl | 0.712-2 libterm-size-perl | 0.2-4+b1 libtimedate-perl | 1.2000-1 liburi-perl | 1.54-2 libwww-perl | 5.836-1 libyaml-syck-perl | 1.12-1 lintian | 2.4.3 lsb-release | 3.2-23.2squeeze1 bsd-mailx | 8.1.2-0.20100314cvs-1 OR mailx | man-db | 2.5.7-8 patch | 2.6-2 patchutils | 0.3.1-2 ssh-client | strace | 4.5.20-2 unzip | 6.0-4 wdiff | 0.6.3-1 www-browser | subversion | 1.6.12dfsg-4 OR cvs | 1:1.12.13-12 OR darcs | OR tla | OR bzr | OR git-core | 1:1.7.2.3-2.2 OR mercurial | 1.6.4-1 lzma | 4.43-14 xz-utils | 5.0.0-2 sensible-utils | 0.0.4 libjson-perl | 2.21-1 Suggests (Version) | Installed =========================================-+-============ build-essential | 11.5 cvs-buildpackage | devscripts-el | gnuplot | 4.4.0-1.1 libfile-desktopentry-perl | libnet-smtp-ssl-perl (>= 1.01-2) | 1.01-2 mutt | 1.5.20-9+squeeze1 svn-buildpackage | w3m | -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
