[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Time for apt-secure?


As far as I can tell, apt-secure would have protected against any compromise of the archives in this hacking incident. That is, provided that the developers keep their private keys secure. This is precisely the intent of apt-secure - to remove the need to rely on archives to be trusted. With apt-secure, any update that does not match what the developer released simply won't be installed. The 3.0r2 release was good proof of this - until I reconfigured sources.list to use the 2003 master key for the release, apt simply refused to touch it.

I am using apt-secure, but it's not part of stable. What's the real plan for apt-secure, will it be standard in the next major release? AFAIK, there are many wrinkles to be ironed out...

Camillo Särs <+ged+@iki.fi>              **  Aim for the impossible and you
<http://www.iki.fi/+ged>                 **   will achieve the improbable.
PGP public key available                 **

Reply to: