Package: apt Version: 0.9.7.9 Severity: grave Tags: security Source packages are signed, therefore it's fair to expect 'apt-get source' to enforce signature verification. But it merely prints a warning and continues if it can't check a signature because of a missing key (e.g. when you forgot to install the developer keyring). This seems to be caused by dpkg-source needing the --require-valid-signature option to enable strict checking (*).
Freenode's #debian suggested I should file a bug on 'apt' since it's the frontend, and set a 'wishlist' severity. However I decided to give it a 'grave' severity because Debian policy says that's appropriate when a package introduces a command that exposes the user accounts to attacks when ran ( http://release.debian.org/stable/rc_policy.txt ). I'm hoping this gets treated more seriously than 'wishlist' (**). The security hole in this case involves introducing a compromised source package on a Debian mirror. Then apt will happily take it, unpack it, patch stuff and possibly execute arbitrary code from it, without quitting if it can't check signatures. It breaks the reasonable assumption that the package manager will check source package signatures for official packages just as it checks binary packages. (*) I'd also argue --require-valid-signature is an incredibly poor default in itself, and that's what should be fixed. It essentially makes security a long option to a core Debian command and it's off by default. (**) I should remind you my somewhat related #722906 issue on downloads being exceedingly difficult to check correctly from non-Debian machines also got a 'wishlist' status (initially 'important' and not tagged as a security issue) and had its subject change to something more benign. I'm hoping my report was misunderstood. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
