Ubuntu

sign the repository at ddebs.ubuntu.com

Bug #185625 reported by Louis-Dominique Dubeau on 2008-01-24

286

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu	Fix Released	Undecided	Martin Pitt

Bug Description

The repository at ddebs.ubuntu.com is currently not signed. Even if the server is well secured, a man-in-the-middle attack could cause someone to install tainted packages on their system.

Revision history for this message

Chris Sherlock (ta-bu-shi-da-yu) wrote on 2008-03-29:

Is there any reason why this cannot be done? Currently this is preventing me from doing a partial upgrade of my system. I can certainly remove the repo from my sources, but that isn't going to help with testing.

Revision history for this message

Chris Sherlock (ta-bu-shi-da-yu) wrote on 2008-06-15:

Hi all, what would need to be done to get something done about this?

Revision history for this message

Pär Lindfors (paran) wrote on 2008-07-15:

"Reported on 2008-01-24" and not a single response from any ubuntu developer or Security Team member about this?

All packages are built on the normal build servers. I really can't see any reason for it to be hard to get ddebs.ubuntu.com signed, either by the standard archive key or a separate one.

Two big problems with the current situation:

1. Many Ubuntu developers is probably using ddebs.ubuntu.com. I really don't like developers of the distribution I use to get malicious packages installed.

2. Users will be told to enable this repository to help triage bugs. This teaches them that it is OK to ignore security warnings from APT.

The second problem is of course the same when using PPAs. But there the problem is harder to solve, and is beeing discussed in bug #125103.

Revision history for this message

Chris Sherlock (ta-bu-shi-da-yu) wrote on 2008-07-16:

Don't forget however that if you do a distro update you need to remember to disable the ddebs source because they are unsigned and the distro update will fail.

I guess that's more a usability issue than anything though.

Brian Murray (brian-murray) on 2008-09-05

Changed in ubuntu-meta:
status:	Confirmed → In Progress

Revision history for this message

Martin Pitt (pitti) wrote on 2008-09-06:

For the record, I'm currently working on getting them signed, I have to fix my scripts to produce proper Release files, though.

Revision history for this message

Chris Sherlock (ta-bu-shi-da-yu) wrote on 2008-09-06: Re: [Bug 185625] Re: sign the repository at ddebs.ubuntu.com

Excellent! I think we all appreciate the status update. :-)

Revision history for this message

Martin Pitt (pitti) wrote on 2008-10-28:

Sorry again for the delay. It's done now, apt-get update and apt-get install now don't complain any more.

I created a key for this:

pub 1024D/428D7C01 2008-09-02
uid Ubuntu Debug Symbol Archive Automatic Signing Key <email address hidden>
sub 2048g/A2C2A7A5 2008-09-02

I put it at http://ddebs.ubuntu.com/dbgsym-release-key.asc and also uploaded it to keyserver.ubuntu.com.

The key is currently signed with my own GPG key only.

To import it:
gpg --keyserver keyserver.ubuntu.com --recv-key 428D7C01
gpg --check-sigs 428D7C01 # make sure that you only get "sig!", not - or %
gpg --export 428D7C01 | sudo apt-key add -

Changed in ubuntu-meta:
status:	In Progress → Fix Released

Revision history for this message

Chris Sherlock (ta-bu-shi-da-yu) wrote on 2008-10-29:

Thank you!!!!

Revision history for this message

Rich (rincebrain) wrote on 2009-01-16:

Excellent, thank you. :)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #200353

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.