Secure apt-get

To: debian-devel@lists.debian.org
Subject: Secure apt-get
From: Klaus Reimer <kay@debian.org>
Date: Thu, 18 Jan 2001 19:48:14 +0100
Message-id: <[🔎] 01011819481401.00676@neo>

Hi,

Is there already any feature to run apt-get in a secure way? I mean that it 
installs only TRUSTED packages. I think it is possible to hack a system with 
a man-in-the-middle-attack (I am not a hacker, don't know if this is 
technically possible). If I am installing/downloading i.E. joe from 
ftp.debian.org and a hacker between me and this server gives me a HACKED 
package with a postinst changing the root-Password or something like that I 
am doomed. Would be a very nice feature if I can give apt-get a parameter so 
it checks the signatures of downloaded packages (I know, currently they don't 
have signatures) and refuses the installation if the signature is unknown. A 
basic set of public keys (debian-keyring) must be included in the debian 
base-package. Is something like that already possible (I don't think so, 
because there are no signatures in the packages) or do you think it's a good 
idea for the future? Or was it already discussed?

-- 
Bye
K

Reply to:

Follow-Ups:
- Re: Secure apt-get
  - From: Petr Cech <cech@atrey.karlin.mff.cuni.cz>
- Re: Secure apt-get
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
- Re: Secure apt-get
  - From: Arthur Korn <arthur@korn.ch>
- Re: Secure apt-get
  - From: John Goerzen <jgoerzen@progenylinux.com>

Prev by Date: Re: Snes9x and Quake in main
Next by Date: Re: Secure apt-get
Previous by thread: Re: Logging on to debian machines
Next by thread: Re: Secure apt-get
Index(es):
- Date
- Thread