[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt-get is insecure



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

> > Could anyone point me to some documentation about how this fits
> > within the 'usual' apt-get update apt-get install procedure.
>
> The idea is:
> * packages are signed using debsig and get one (or more) embedded
>   signatures
> * apt & friends don't look at the signature and will just see a
> normal package
> * dpkg will call debsig-verify to verify the signature and validate
> the package
>
> The last step is currently skipped since /etc/dpkg/dpkg.cfg
> includes the no-debsig option by default, otherwise debsig-verify
> would happily reject all current packages.
                       ^^^
All or just those that are not signed correctly?

Is there the possibility to just get an warning? In potato the 
no-debsig switch isn't even documented in the dpkg manpage.

Hendrik

- -- 
PGP ID 21F0AC0265C92061
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8HgyXIfCsAmXJIGERAkeOAJ0dNThNGOpZMpUSK/YOMzRqLsVFJQCcCr0X
fgfSd8MYNl1/jYZ7BRWmuy0=
=SAFy
-----END PGP SIGNATURE-----



Reply to: