Re: How to improve archive verification possibilities for the future
Marc Haber <firstname.lastname@example.org> writes:
>> The Release files for unstable and testing still have to be signed
>> automatically, but I'd really prefer to have that done by
>> downloading the file to a non-public machine, signing there and
>> re-uploading. Additionally, I'd like to have snapshots (for
>> example all four weeks) to be signed manually with an off-line key.
Since the signing of the Release files is probably one of the weakest
points in the chain, perhaps the key which hosts this key should be
running SELinux or something? That doesn't help if the build servers
are cracked, but it does defend against some attacks.
Goswin von Brederlow <email@example.com> writes:
> If I read it right glancing over it apt-secure will check the trust
> chain every time you install/update/upgrade something.
True, and I think that some of the changes suggested in the previous
email will help to strengthen that chain. I like the idea of the
offline key for signing stable.
> That realy should be moved to sid asap and I would even prefer
> including it in sarge. Users have been screaming for this for years.
Colin and I are very eager to see apt-secure ideas integrated into the
"mainline" apt ASAP and I'm very willing to continue helping this
transition. We don't really want to maintain a separate system much
I plan to update apt-secure sometime soon, but I should warn people
that our implementation will likely _not_ be compatible with the
eventual implementation in "mainline" apt (getting rid of
vendors.list, for instance, if I recall), or with the implementation
for RPM that our work was loosely based upon.
Discussion on the integration can be found in:
BTW, we've gotten a lot of email about apt-secure in the last week and