Re: Time for apt-secure?
Michael Stone wrote:
Where did you get the new key?
There was no new key. The 3.0r1 release used the 2002 master, whereas the
3.0r2 uses the 2003 master, which has been in use for security for a long time
How did you verify it?
From my perspective, the 2003 master key has an established trust history.
Are you aware of how the archives are signed?
Vaguely. As someone else on the list also pointed out, the term "archive" as
used in this context for Debian is very unintuitive.
Are you aware of how the packages are built?
Again, vaguely. But I assume that it does involve some signing stuff that the
developers do not necessarily verify themselves. I do assume that signatures
are made manually, not automatically. I may well be wrong here. :)
The signature mechanism will protect against a compromised mirror
but not against a compromised archive.
The primary threat from my perspective is against mirrors. I use them to
download stuff, and I want to make sure that it is the same stuff that was
distributed from the Debian masters. I have made the (unwarranted) assumption
that the "back-end" process is secure enough, so the primary threat is the
As it turns out that doesn't appear to ahve happened, but the apt-secure
> method is insufficient to demonstrate that.
Yes, I can see that. Regardless, apt-secure does bring added value. How much
added value depends on how the keys are used. The next time the problem might
hit the distribution chain, and at that point I sure wish apt-secure is in use.
Camillo Särs <+email@example.com> ** Aim for the impossible and you
<http://www.iki.fi/+ged> ** will achieve the improbable.
PGP public key available **