Re: Cryptoapi kernel-patch packages for debian

[David Gümbel <david.guembel@gmx.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 07 July 2002 20:35:20, Jean-Luc Cooke wrote:
> Yes, if you look at the script, there are GPG signature performed.
>
> example:
>   http://jlcooke.ca/go?2.4.18/CA | less
>
> Ideally, I'd rather have an SSL tunnel to the script...but that depends on
> the server.

Yes, I see :) 

But there are still some things that come to my mind as far as security is 
concerned:

* Placing "KERNKEY=0x517D0F0E" inside the script downloaded from the web might
  be a potential security risk as this could quite easily be transparently 
  replaced by a different key id I have in my keyring (or that is available
  via the keyserver)[1]. I think this might be avoided by reading the key ID
  from a local file that has to be created by the user first (?)
* There is no check whether the key used for verification is trusted/has 
  been signed by the user. 
* The script is being piped directly from the web to a root shell. This looks
  dangerous to me, even with SSL in use, as long as the SSL certificate
  doesn't undergo verification. I currently can't find any option for
  lynx or w3m that does this, but it's very possible I'm just blind.

And there's one thing I stumbled across when reading the code - maybe you 
should start with a section like this:

TRUEBIN = `which true`
W3MBIN = `which w3m`
LYNXBIN = `which lynx`
etc., just as you did with the gpg binary.

All just IMHO, of course.



Greetings,




David


[1] which would require replacing the signatures as well, but that is possible
    either.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: http://david-guembel.de/webpgp.html

iD8DBQE9KMcdcWkuqYXk/uwRAorDAJ9AU2krpQC61Rg30BC1rDsZ7/78EgCgqzho
HNBRJJ0sFWTDfeFzfA/4hVs=
=2QuW
-----END PGP SIGNATURE-----

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/