Re: Secure apt-get
I have been working with Ben Collins on this project already. You may
find some documentation -- albeit somewhat out-of-date -- on this at
the URLs below. The software is already written and will be showing
up in Debian this weekend.
My draft spec:
gopher://gopher.quux.org:70/9/devel/debian/debsigs.ps (PostScript)
gopher://gopher.quux.org:70/0/devel/debian/debsigs.txt (Plain Text)
This spec allows for multiple signatures per .deb with an eye towards
flexibility and open policymaking.
-- John
PS... lynx supports gopher.
Klaus Reimer <kay@debian.org> writes:
> Hi,
>
> Is there already any feature to run apt-get in a secure way? I mean that it
> installs only TRUSTED packages. I think it is possible to hack a system with
> a man-in-the-middle-attack (I am not a hacker, don't know if this is
> technically possible). If I am installing/downloading i.E. joe from
> ftp.debian.org and a hacker between me and this server gives me a HACKED
> package with a postinst changing the root-Password or something like that I
> am doomed. Would be a very nice feature if I can give apt-get a parameter so
> it checks the signatures of downloaded packages (I know, currently they don't
> have signatures) and refuses the installation if the signature is unknown. A
> basic set of public keys (debian-keyring) must be included in the debian
> base-package. Is something like that already possible (I don't think so,
> because there are no signatures in the packages) or do you think it's a good
> idea for the future? Or was it already discussed?
>
> --
> Bye
> K
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
John Goerzen <jgoerzen@complete.org> www.complete.org
Sr. Software Developer, Progeny Linux Systems, Inc. www.progenylinux.com
#include <std_disclaimer.h> <jgoerzen@progenylinux.com>
Reply to: