On Thu, Mar 08, 2001 at 09:09:33PM -0800, Alexander Hvostov wrote: > You're supposed to _trust_ the distributions you put in your > sources.list. If you don't, don't put them in there. Adding security > features of this sort to apt is probably not even remotely trivial... With apt 0.5, you can be fairly detailed about how you trust sources (as someone said in another message) but only as long as you can rely on their Release file being correct When Conectiva ported apt to RPM, they also added some crypto support, which is in the process of being extended and fiddled with (and forward ported to apt 0.5) and should hopefully allow you to have end-to-end security (from Debian direct to the user, rather than having to trust the mirrors and proxies in between), as well as the fine-grained security apt 0.5 provides. The files dists/woody/Release and dists/woody/Release.gpg are the current versions of what we expect to use; dinstall (ziyi, to be precise) updates these daily. Ditto for sid. Note that we're just testing this infrastructure at the moment (at best), so don't expect too much from it. ziyi's public key is available as http://ftp-master.debian.org/ziyi_key.asc . You might note that it hasn't been signed by anyone; this is moderately deliberate for the moment: we're still just trying to work out how this should work. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``_Any_ increase in interface difficulty, in exchange for a benefit you do not understand, cannot perceive, or don't care about, is too much.'' -- John S. Novak, III (The Humblest Man on the Net)
Attachment:
pgpBt4Yji8Ik_.pgp
Description: PGP signature