maemo.org - Talk - View Single Post - Fedora based MeeGo = NoGo!

zimon	2010-03-25 , 16:29
Posts: 1,341 \| Thanked: 708 times \| Joined on Feb 2010	#245

Originally Posted by attila77

Zimon, please, for the last time - let Debian folks care about Deb(ian). Free and Open Source Software is not about telling *other* people what and how they should use.

I've tried to use words should/would/could instead of imperative ones.

But this weak security policy affects also me, because I am using N900. So it is not only Debian's problem. It is also my problem.
So I think I am entitled to say "the problem should be fixed".

http://manpages.ubuntu.com/manpages/...ebsigs.1p.html
However debsigs and debsig-verify currently are not ported to Maemo5.
Also, seems like debsigs is not even very common and disabled on most of the DEB-based systems:
from http://purplefloyd.wordpress.com/200...-deb-packages/

Note: on most distros, dpkg/apt will not check the signature of a package when installing it, even if a signature is present. This checking can be enabled by removing the --no-debsig line from /etc/dpkg/dpkg.cfg.

I appreciate all those extra, -devel, -testing deb packages people have provided, but I am concerned about developers installing themselves also deb-packages without authenticity check.
http://www.google.com/search?q=site%...dpkg+-i%22+deb
https://garage.maemo.org/plugins/wik...id=1382&type=g

Thompson's Trojan Compiler type of crack needs to get inside developers community only once, and it will be hard to detect and remove. There already may be such Trojan horses, but we certainly would not want even more.

Right now, we are in Maemo5 practically as easily crackable as iPhone users are:
http://blogs.zdnet.com/security/?p=5836

Last edited by zimon; 2010-03-25 at 18:11. Reason: authentication/authenticity

Quote & Reply |