Re: Apt-get is insecure
(Please don't use overly long lines, it makes text hard to read).
Previously Javier Fern?ndez-Sanguino Pe?a wrote:
> A far better scheme was the one proposed by Wichert (signing
> only one file: Packages.gz and stablish a trust relationship
> like this):
FWIW, I didn't propose it I just described it. I suspect the idea
came from Jason Gunthorpe.
> - When I update my system I download a Packages.gz file which is properly signed by a
> well-known authority (Ben? Wichert? James?) and distributed to the mirrors
It won't be a persons key but a special archive or release key.
> From what I know, this will be supported scheme in the next release.
Well, afaik base is frozen and the current released version of
apt doesn't do that yet..
/firstname.lastname@example.org This space intentionally left occupied \
| email@example.com http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |