[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITI: HTTPS method for apt

On Thursday 21 March 2002 3:16 am, Adam Heath wrote:
> On Thu, 21 Mar 2002, Nicolai P Guba wrote:
> > On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> > > Paolo Redaelli <paolo.redaelli@libero.it> writes:
> > > >> Why? Don't you want yor neighbours (or whoever might be abble to spy
> > > >> on your network traffic) to see what package versions you run?
> > > >
> > > > Crypted downloads is a step toward improvements in security and/or
> > > > commercial support (note commercial != proprietary)
> > >
> > > I agree (but I doubt the commercial part), but reencrypting the same
> > > data over and over again is quite inefficient.  Furthermore, you don't
> > > know the actual source of the package, you have to trust the mirror.
> > >
> > > Signing packages themselves is a much better approach IMHO.
> >
> > Euh... Is apt actuall verifying this?  Where are the signatures kept?  If
> > it's on the same server then it's a doddle to put up compromised packages
> > and sign them.
> apt is not yet verifying these.

Hmmm...  I didn't see any evidence that it would.  So far the community has 
been quite lucky that nobody has done some serious attacks on packages.  It 
would be a doddle to seriously compromise a system by having

	1) it's source code
	2) a powerful replication/distribution mechanism

available.  How can any admin actually really be sure that his login or ssh 
.deb hasn't been compromised?  Scary thought.

> The way this would work, is debian would have a set of keys.  The archive
> signing key, that exists on the master ftp archive, would sign packages.
> Then, the public key would be used to verify the signature of the package,
> after downloading.
> This would allow for unencrypted transfers, while still maintaining the
> validity of the data in transit.

Indeed.  Encrypted transfer should be an option, not the default.  Would be 
easy to identify too:


for unencrypted


for encrypted.

	apt-get install

	apt-get sinstall

would be another option.  Either way, it's only keyboard sugar.

Heppy Heckin'

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: