On Thu, Mar 08, 2001 at 09:09:33PM -0800, Alexander Hvostov wrote:
> You're supposed to _trust_ the distributions you put in your
> sources.list. If you don't, don't put them in there. Adding security
> features of this sort to apt is probably not even remotely trivial...
With apt 0.5, you can be fairly detailed about how you trust sources
(as someone said in another message) but only as long as you can rely
on their Release file being correct
When Conectiva ported apt to RPM, they also added some crypto support,
which is in the process of being extended and fiddled with (and forward
ported to apt 0.5) and should hopefully allow you to have end-to-end
security (from Debian direct to the user, rather than having to trust
the mirrors and proxies in between), as well as the fine-grained security
apt 0.5 provides.
The files dists/woody/Release and dists/woody/Release.gpg are the current
versions of what we expect to use; dinstall (ziyi, to be precise) updates
these daily. Ditto for sid.
Note that we're just testing this infrastructure at the moment (at
best), so don't expect too much from it. ziyi's public key is available
as http://ftp-master.debian.org/ziyi_key.asc . You might note that it
hasn't been signed by anyone; this is moderately deliberate for the
moment: we're still just trying to work out how this should work.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``_Any_ increase in interface difficulty, in exchange for a benefit you
do not understand, cannot perceive, or don't care about, is too much.''
-- John S. Novak, III (The Humblest Man on the Net)
Attachment:
pgpBt4Yji8Ik_.pgp
Description: PGP signature