Re: Automatic Debian security updates, an Implementation
On Fri, Oct 18, 2002 at 08:24:31AM -0400, R. Bradley Tilley wrote:
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not
> sufficient to keep a debian system secure and updated?
Because a hacked mirror could contain malicious packages.
When you check signatures before upgrading, you detect such intrusions.
Of course, if the hacker managed to modify files on the master server,
proper signatures would automatically get generated, and apt-check-sigs
had no chance to detect these modifications. Still, checking signatures
provides one more line of defense.