Re: Apt-get is insecure
Previously jereme wrote:
> Can/is the checking of these signatures, (and fetching the appropriate
> developer keys) integrated into apt-get? What am I missing?
Apt works at a different level: it deals with download packages and
archives, so it will not verify the signature that is embedded in
a deb package.
There is a seperate plan for verifying signatures using apt. From
memory this goes as follows:
* deb packages are installed in the archive
* the MD5 checksum for each package is listed in the Packages file
* the MD5 checksum for each Packages file for a release is listed in
the Release file
* the archive creates a signature for the Release file that apt can
verify
So by following the chain of MD5 sums apt should be able to verify
that a package originates from a a specific release. This is less
flexible then debsigs since it does not work on a per-package basis
but by combining them you have a very powerful system.
Wichert.
--
_________________________________________________________________
/wichert@wiggy.net This space intentionally left occupied \
| wichert@deephackmode.org http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Reply to: