Re: ITI: HTTPS method for apt

To: debian-devel@lists.debian.org
Subject: Re: ITI: HTTPS method for apt
From: Nicolai P Guba <nicolai@gnu.ai.mit.edu>
Date: Thu, 21 Mar 2002 01:36:11 +0000
Message-id: <[🔎] E16nrVD-000096-00@eurotrash>
In-reply-to: <[🔎] 87r8mfm39u.fsf@CERT.Uni-Stuttgart.DE>
References: <[🔎] Pine.LNX.4.44.0203191529580.4094-100000@tpo2.sourcepole> <[🔎] 1016569697.2991.18.camel@altair> <[🔎] 87r8mfm39u.fsf@CERT.Uni-Stuttgart.DE>

On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> Paolo Redaelli <paolo.redaelli@libero.it> writes:
> >> Why? Don't you want yor neighbours (or whoever might be abble to spy on
> >> your network traffic) to see what package versions you run?
> >
> > Crypted downloads is a step toward improvements in security and/or
> > commercial support (note commercial != proprietary)
>
> I agree (but I doubt the commercial part), but reencrypting the same
> data over and over again is quite inefficient.  Furthermore, you don't
> know the actual source of the package, you have to trust the mirror.
>
> Signing packages themselves is a much better approach IMHO.

Euh... Is apt actuall verifying this?  Where are the signatures kept?  If 
it's on the same server then it's a doddle to put up compromised packages and 
sign them.

It may look like overkill, but the chap has a point IMHO.

Reply to:

Follow-Ups:
- Re: ITI: HTTPS method for apt
  - From: Adam Heath <doogie@debian.org>

References:
- ITI: HTTPS method for apt
  - From: "Tomas Pospisek's Mailing Lists" <tpo2@sourcepole.ch>
- Re: ITI: HTTPS method for apt
  - From: Paolo Redaelli <paolo.redaelli@libero.it>
- Re: ITI: HTTPS method for apt
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: Re: Why does autoconf depend on autoconf2.13?
Next by Date: Re: ITI: HTTPS method for apt
Previous by thread: Re: debsigs
Next by thread: Re: ITI: HTTPS method for apt
Index(es):
- Date
- Thread