1. 23

  2. 4

    I haven’t been following Debian development enough, apparently, because this was news to me. And now, reading this article, I am pretty unsure about what I should do: the Debian Wiki advocates using the signed-by approach that this article ridicules as security theater.

    The article is a little light on explanation of why the Debian-recommended approach is not a useful security measure, so maybe someone can tell me if my guess is right: Because package installation runs as root, a malicious third-party package can modify arbitrary files from other repositories regardless of which key those repositories’ packages are signed with. So apt install malware could install its own version of /usr/bin/ssh (e.g., in a post-install script, so it doesn’t show up in the package manifest) even though its signing key couldn’t be used to sign a malicious version of the Debian ssh package.

    1. 2

      AIUI the repository that contains malware could also contain a malicious rebuild of the ssh package with a higher version number. malware could directly depend on that, or it could be picked up by a later security update.