Re: ITI: HTTPS method for apt

To: Adam Heath <doogie@debian.org>, Nicolai P Guba <nicolai@gnu.ai.mit.edu>
Cc: <debian-devel@lists.debian.org>
Subject: Re: ITI: HTTPS method for apt
From: Nicolai P Guba <nicolai@gnu.ai.mit.edu>
Date: Wed, 27 Mar 2002 11:19:00 +0000
Message-id: <[🔎] E16qBSL-0000D5-00@eurotrash.frontwire.net>
In-reply-to: <[🔎] Pine.LNX.4.33.0203202115290.2421-100000@gradall.private.brainfood.com>
References: <[🔎] Pine.LNX.4.33.0203202115290.2421-100000@gradall.private.brainfood.com>

On Thursday 21 March 2002 3:16 am, Adam Heath wrote:
> On Thu, 21 Mar 2002, Nicolai P Guba wrote:
> > On Wednesday 20 March 2002 7:45 pm, Florian Weimer wrote:
> > > Paolo Redaelli <paolo.redaelli@libero.it> writes:
> > > >> Why? Don't you want yor neighbours (or whoever might be abble to spy
> > > >> on your network traffic) to see what package versions you run?
> > > >
> > > > Crypted downloads is a step toward improvements in security and/or
> > > > commercial support (note commercial != proprietary)
> > >
> > > I agree (but I doubt the commercial part), but reencrypting the same
> > > data over and over again is quite inefficient.  Furthermore, you don't
> > > know the actual source of the package, you have to trust the mirror.
> > >
> > > Signing packages themselves is a much better approach IMHO.
> >
> > Euh... Is apt actuall verifying this?  Where are the signatures kept?  If
> > it's on the same server then it's a doddle to put up compromised packages
> > and sign them.
>
> apt is not yet verifying these.

Hmmm...  I didn't see any evidence that it would.  So far the community has 
been quite lucky that nobody has done some serious attacks on packages.  It 
would be a doddle to seriously compromise a system by having

	1) it's source code
	2) a powerful replication/distribution mechanism

available.  How can any admin actually really be sure that his login or ssh 
.deb hasn't been compromised?  Scary thought.

> The way this would work, is debian would have a set of keys.  The archive
> signing key, that exists on the master ftp archive, would sign packages.
> Then, the public key would be used to verify the signature of the package,
> after downloading.
>
> This would allow for unencrypted transfers, while still maintaining the
> validity of the data in transit.

Indeed.  Encrypted transfer should be an option, not the default.  Would be 
easy to identify too:

	apt-get

for unencrypted

	sapt-get

for encrypted.

	apt-get install

	apt-get sinstall

would be another option.  Either way, it's only keyboard sugar.

Heppy Heckin'


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: ITI: HTTPS method for apt
  - From: Adam Heath <doogie@debian.org>

Prev by Date: Re: Open source VOCAL software from www.vovida.org
Next by Date: Re: /etc/mailname
Previous by thread: Re: ITI: HTTPS method for apt
Next by thread: Re: ITI: HTTPS method for apt
Index(es):
- Date
- Thread