Re: ITI: HTTPS method for apt
On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> Paolo Redaelli <paolo.redaelli@libero.it> writes:
> >> Why? Don't you want yor neighbours (or whoever might be abble to spy on
> >> your network traffic) to see what package versions you run?
> >
> > Crypted downloads is a step toward improvements in security and/or
> > commercial support (note commercial != proprietary)
>
> I agree (but I doubt the commercial part), but reencrypting the same
> data over and over again is quite inefficient. Furthermore, you don't
> know the actual source of the package, you have to trust the mirror.
>
> Signing packages themselves is a much better approach IMHO.
Euh... Is apt actuall verifying this? Where are the signatures kept? If
it's on the same server then it's a doddle to put up compromised packages and
sign them.
It may look like overkill, but the chap has a point IMHO.
Reply to: