Re: ITI: HTTPS method for apt
On Thu, 21 Mar 2002, Nicolai P Guba wrote:
> On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> > Paolo Redaelli <firstname.lastname@example.org> writes:
> > >> Why? Don't you want yor neighbours (or whoever might be abble to spy on
> > >> your network traffic) to see what package versions you run?
> > >
> > > Crypted downloads is a step toward improvements in security and/or
> > > commercial support (note commercial != proprietary)
> > I agree (but I doubt the commercial part), but reencrypting the same
> > data over and over again is quite inefficient. Furthermore, you don't
> > know the actual source of the package, you have to trust the mirror.
> > Signing packages themselves is a much better approach IMHO.
> Euh... Is apt actuall verifying this? Where are the signatures kept? If
> it's on the same server then it's a doddle to put up compromised packages and
> sign them.
apt is not yet verifying these.
The way this would work, is debian would have a set of keys. The archive
signing key, that exists on the master ftp archive, would sign packages.
Then, the public key would be used to verify the signature of the package,
This would allow for unencrypted transfers, while still maintaining the
validity of the data in transit.