Ticket #60 (new defect)

Opened 3 years ago

Last modified 3 years ago

security: check repository and packages signatures before installing

Reported by: yvesjm Assigned to: somebody
Priority: critical Milestone: 0.4.0
Component: agent Version:
Keywords: Cc:

Description

From Jan Suhr: 

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear Yves,
> thank you very much for your effort! The certificate is for the control
> connection only, rigth? Does NWU care about PGP-signed packages? AFAIK
> NWU does just start apt-get to download and install packages (beside of
> other tasks). Would it be possible for an attacker to highjack a
> repository server and manipulate some packages? IMHO the packages should
> be verified before installation against (A) the usual
> Debian/Ubuntu/RedHat?/etc. repository keys AND (B) against packages
> created by the system administrator (the certificate which NWU should be
> configured to verify for). I don't think apt-get is doing such checks by
> default.

Change History

05/21/06 21:13:46 changed by yvesjm

  • milestone set to milestone3.

06/19/06 21:49:44 changed by yvesjm

  • summary changed from Check repository and packages signatures before installing to security: check repository and packages signatures before installing.

06/19/06 22:17:38 changed by yvesjm

  • milestone changed from 0.4.0 to oops.

Milestone 0.4.0 deleted

-->