[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITI: HTTPS method for apt

On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> Paolo Redaelli <paolo.redaelli@libero.it> writes:
> >> Why? Don't you want yor neighbours (or whoever might be abble to spy on
> >> your network traffic) to see what package versions you run?
> >
> > Crypted downloads is a step toward improvements in security and/or
> > commercial support (note commercial != proprietary)
> I agree (but I doubt the commercial part), but reencrypting the same
> data over and over again is quite inefficient.  Furthermore, you don't
> know the actual source of the package, you have to trust the mirror.
> Signing packages themselves is a much better approach IMHO.

Euh... Is apt actuall verifying this?  Where are the signatures kept?  If 
it's on the same server then it's a doddle to put up compromised packages and 
sign them.

It may look like overkill, but the chap has a point IMHO.

Reply to: