[maemo-developers] Security Guidance for N800 OS development

From: Marius Gedminas marius at pov.lt
Date: Tue Feb 20 20:45:08 EET 2007 
On Tue, Feb 20, 2007 at 05:53:15PM +0100, Kees Jongenburger wrote:
> On 2/20/07, Marius Gedminas <marius at pov.lt> wrote:
> >On Tue, Feb 20, 2007 at 01:19:56PM +0100, Kees Jongenburger wrote:
> >> On 2/20/07, Marius Gedminas <marius at pov.lt> wrote:
> >> >I wonder how many people install OpenSSH/Dropbear and then leave......
> >>
> >> I wonder how many people thrust the openssh deb :p
> >
> >If you have reasons not to trust it, please elaborate.
> 
> Hello Marius, I would feel more comfortable if I knew the
> package was built from on a maemo server.

It comes from repository.maemo.org.

> Nobody can really thrust
> binary packages anyway. Not only that but we also need to thrust the
> location where the openssh.install file is located. in this case
> http://mg.pov.lt/770/openssh.install and we need to hope that no other
> repository contains a forged  openssh  pacakge.  enough reasons IMHO to
> say that the system is not very secure.

That's a good point, but it is not specific to OpenSSH.  Any package you
install on your 770/N800 can add a backdoor.

The solution is package signing.  Apt has infrastructure for that.  The
application manager ignores missing signatures, I think.  Also, how do
you decide whose keys to trust?

Marius Gedminas
-- 
BASIC:
        A programming language.  Related to certain social diseases
        in that those who have it will not admit it in polite company.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.maemo.org/pipermail/maemo-developers/attachments/20070220/1bdf18a0/attachment.pgp
More information about the maemo-developers mailing list