Re: Apt-get is insecure
Conectiva currently has support for signed _repositories_, as well as
signed RPM packages. Check out their /etc/apt/sources.list for more
info on it.
The code may be portable to Debian, as their APT is based directly off
of Debian's way of doing things.
http://distro.conectiva.com/projetos/42/
Perhaps this is nothing new, just thought I'd throw it out there.
On Thu, 2001-12-13 at 09:24, Wichert Akkerman wrote:
> Previously jereme wrote:
> > Can/is the checking of these signatures, (and fetching the appropriate
> > developer keys) integrated into apt-get? What am I missing?
>
> Apt works at a different level: it deals with download packages and
> archives, so it will not verify the signature that is embedded in
> a deb package.
>
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
>
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
> the Release file
> * the archive creates a signature for the Release file that apt can
> verify
>
> So by following the chain of MD5 sums apt should be able to verify
> that a package originates from a a specific release. This is less
> flexible then debsigs since it does not work on a per-package basis
> but by combining them you have a very powerful system.
>
> Wichert.
>
> --
> _________________________________________________________________
> /wichert@wiggy.net This space intentionally left occupied \
> | wichert@deephackmode.org http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Blake Barnett (bdb) <blake.barnett@developonline.com>
Sr. Unix Administrator
DevelopOnline.com office: 480-377-6816
"Do, or do not. There is no try." --Yoda
Reply to: