Debian Planet

Welcome to Debian Planet


All your woody are (not quite, but very very very soon) belong to us.
Main Menu

  • Home

  • Topics

  • Web Links

  • Your Account

  • Submit News

  • Stats

  • Top 10

  • Debian

    These are important Debian sites one should not be without!

  • Official Debian site

  • Package search

  • Mailing list archives

  • Bug reports

  • Debian on CD

  • Unofficial woody CD ISOs

  • Unofficial APT sources

  • Developers' Corner

    Other great Debian news sources:

  • Debian Weekly News

  • Kernel Cousin Debian

    (Debian mailing lists digested)
  • Community Groups

    Need help? You're not alone on this planet.

  • debianHELP

    (User support site)

  • Debian International



  • EsDebian


  • DebianWorld


  • MaximumDebian


  • DebianUsers


  • Debian-BR


  • IRC

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on

    Many of the Debian Planet staff live there so pop by and say hello.

    Wanna write?

    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you've written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.


    DP is sponsored by Xinit Systems and

    Domains paid for and hosted by

    Buy your Debian merchandise at

    Who's Online

    There are currently, 59 guest(s) and 1 member(s) that are online.

    You are Anonymous user. You can register for free by clicking here.

    Are Debian packages vulnerable to spoofing?
    Contributed by Anonymous on Friday, December 14 @ 00:13:00 GMT

    This thread on Slashdot, talks about how Debian packages can be trojaned by upstream servers/proxies. Ignoring the bits about Microsoft and FTP daemons, do we need stronger systems/protcols in place to protect the integrity of our packages, if so what?

    DanielS: The system to sign .deb's (debsigs) is there, it just needs to actually be used.

    Related Links

  • More about Security
  • News by DanielS

    Most read story about Security:
    Security with apt

    Last news about Security:

    Printer Friendly Page  Send this Story to a Friend
  • "Are Debian packages vulnerable to spoofing?" | Login/Create Account | 9 comments

    The comments are owned by the poster. We aren't responsible for their content.

    Re: Are debs vulnerable to spoofing? (Score: 1, Insighful)
    by Anonymous on Friday, December 14 @ 00:22:08 GMT

    Why can't something be added to apt-get to automatically verify the signatures with the latest debian keyring file? The debian keyring file would be signed by an existing known developer I suppose. You can use debsig-verify, but i don't think that works automatically with apt-get.

    [ No Comments Allowed for Anonymous, please register ]

    Re: Are debs vulnerable to spoofing? (Score: 2, Informative)
    by FylB on Friday, December 14 @ 02:03:37 GMT
    (User Info)

    There is too a thread on the debian-security ML.

    Wichert Akkerman says that yes, it exists, and that not, it is not used (yet).

    Link to the thread here

    [ No Comments Allowed for Anonymous, please register ]

    Re: Are debs vulnerable to spoofing? (Score: 0)
    by Anonymous on Friday, December 14 @ 02:10:21 GMT


    wait, if the .deb packages can be spoofed by a proxy I presume that the signatures can also be spoofed? so how does that help.

    [ No Comments Allowed for Anonymous, please register ]

    Re: Are debs vulnerable to spoofing? (Score: 1, Informative)
    by Anonymous on Friday, December 14 @ 03:01:16 GMT

    This was discussed during the Debian BOF at Linux Showcase in Oakland in November. I don't know the names of people but the gist was...

    Apt does compare the hash of the .deb to the signature of the maintainer. But it does it in the background. There is a way to tie this to the pgp signature of the author if you have a trusted key and reject unauthorized packages. But the maintainiers were hesitant to sign off on other peoples code when they themselves are rushing to get bug fixes and such out quickly.

    Somewhere in the debate it became clear that you couldn't necessarily trust the mirrored .deb archives unless the packages were signed by the authors, hashed by the maintainers and checked all the way back by apt. If this were in place, a transparent proxy would be caught by apt as an unsafe source.

    If someone could please clarify the points I made. I'm only just beginning to understand the underlying system.


    [ No Comments Allowed for Anonymous, please register ]

    Based on: PHP-Nuke

    All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2000 by Debian Planet

    You can syndicate our news using the file backend.php.