Re: Apt-get is insecure
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
Perhaps this is nothing new, just thought I'd throw it out there.
On Thu, 2001-12-13 at 09:24, Wichert Akkerman wrote:
> Previously jereme wrote:
> > Can/is the checking of these signatures, (and fetching the appropriate
> > developer keys) integrated into apt-get? What am I missing?
> Apt works at a different level: it deals with download packages and
> archives, so it will not verify the signature that is embedded in
> a deb package.
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
> the Release file
> * the archive creates a signature for the Release file that apt can
> So by following the chain of MD5 sums apt should be able to verify
> that a package originates from a a specific release. This is less
> flexible then debsigs since it does not work on a per-package basis
> but by combining them you have a very powerful system.
> /firstname.lastname@example.org This space intentionally left occupied \
> | email@example.com http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
Blake Barnett (bdb) <firstname.lastname@example.org>
Sr. Unix Administrator
DevelopOnline.com office: 480-377-6816
"Do, or do not. There is no try." --Yoda