Re: ITI: HTTPS method for apt
On Thursday 21 March 2002 3:16 am, Adam Heath wrote:
> On Thu, 21 Mar 2002, Nicolai P Guba wrote:
> > On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> > > Paolo Redaelli <paolo.redaelli@libero.it> writes:
> > > >> Why? Don't you want yor neighbours (or whoever might be abble to spy
> > > >> on your network traffic) to see what package versions you run?
> > > >
> > > > Crypted downloads is a step toward improvements in security and/or
> > > > commercial support (note commercial != proprietary)
> > >
> > > I agree (but I doubt the commercial part), but reencrypting the same
> > > data over and over again is quite inefficient. Furthermore, you don't
> > > know the actual source of the package, you have to trust the mirror.
> > >
> > > Signing packages themselves is a much better approach IMHO.
> >
> > Euh... Is apt actuall verifying this? Where are the signatures kept? If
> > it's on the same server then it's a doddle to put up compromised packages
> > and sign them.
>
> apt is not yet verifying these.
Hmmm... I didn't see any evidence that it would. So far the community has
been quite lucky that nobody has done some serious attacks on packages. It
would be a doddle to seriously compromise a system by having
1) it's source code
2) a powerful replication/distribution mechanism
available. How can any admin actually really be sure that his login or ssh
.deb hasn't been compromised? Scary thought.
> The way this would work, is debian would have a set of keys. The archive
> signing key, that exists on the master ftp archive, would sign packages.
> Then, the public key would be used to verify the signature of the package,
> after downloading.
>
> This would allow for unencrypted transfers, while still maintaining the
> validity of the data in transit.
Indeed. Encrypted transfer should be an option, not the default. Would be
easy to identify too:
apt-get
for unencrypted
sapt-get
for encrypted.
apt-get install
apt-get sinstall
would be another option. Either way, it's only keyboard sugar.
Heppy Heckin'
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: