Time for apt-secure?
Hi,
As far as I can tell, apt-secure would have protected against any compromise
of the archives in this hacking incident. That is, provided that the
developers keep their private keys secure. This is precisely the intent of
apt-secure - to remove the need to rely on archives to be trusted. With
apt-secure, any update that does not match what the developer released simply
won't be installed. The 3.0r2 release was good proof of this - until I
reconfigured sources.list to use the 2003 master key for the release, apt
simply refused to touch it.
I am using apt-secure, but it's not part of stable. What's the real plan for
apt-secure, will it be standard in the next major release? AFAIK, there are
many wrinkles to be ironed out...
Regards,
Camillo
--
Camillo Särs <+ged+@iki.fi> ** Aim for the impossible and you
<http://www.iki.fi/+ged> ** will achieve the improbable.
PGP public key available **
Reply to: