[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: third-party packages adding apt sources

Hi Daniel,

Le Thu, May 19, 2016 at 05:18:28PM +0200, Daniel Pocock a écrit :
> From a technical perspective, can we do more to prevent users being
> surprised by packages putting new entries in /etc/apt/sources.list.d?

maybe you are looking for an Apt option that would only install a package if it
comes from repository signed with a key that itself is signed by a trusted key ?

This way, from inside or outside Debian, chains of trust could be used to
certify the compliance of third-party repositories with good practices, or
other rules.

As suggested in this thread, dpkg triggers or other kinds of hooks could check
that packages installed directly without Apt would not change the trust keys
without the user being aware of this.

Have a nice day,

Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to: