severity 440841 normal thanks Sami Liedes <[EMAIL PROTECTED]> (04/09/2007): > Justification: root security hole
?! > This is bad: It silently accepts any package signed by any key in the > running user's keyring. What about the following? An Application Manager asks his/hers New Maintainer applicant to sign the source packages, or more generally one provides source packages on ones website, and publish the key with which they were signed. (See also <http://mentors.debian.net>.) Doesn't the current behaviour exactly fit these purposes? > 1. Download the public key of Adam Attacker. Then it would be considered a user-assisted security hole at most, don't you think? > I trust those sources anyway because dpkg-source is supposed to verify > that the package is signed by a Debian Developer. Who said that? I can't find anything about that in the dpkg-source manpage, or in the description of the dpkg-dev package. Given the source code, the goal is to verify that the signature is correct, not that it is a signature from a key in the debian keyring. Cheers, -- Cyril Brulebois
pgpcKO1cbxjL6.pgp
Description: PGP signature
