[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get is insecure

(Please don't use overly long lines, it makes text hard to read).

Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):

FWIW, I didn't propose it I just described it. I suspect the idea
came from Jason Gunthorpe.

> - When I update my system I download a Packages.gz file which is properly signed by a
> well-known authority (Ben? Wichert? James?) and distributed to the mirrors

It won't be a persons key but a special archive or release key.

>  From what I know, this will be supported scheme in the next release.

Well, afaik base is frozen and the current released version of
apt doesn't do that yet..


 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Reply to: