Time for apt-secure?

To: debian-security@lists.debian.org
Subject: Time for apt-secure?
From: Camillo Särs <ged@iki.fi>
Date: Thu, 27 Nov 2003 08:53:09 +0200
Message-id: <[🔎] 3FC59F55.4040305@iki.fi>

Hi,

As far as I can tell, apt-secure would have protected against any compromiseof the archives in this hacking incident. That is, provided that thedevelopers keep their private keys secure. This is precisely the intent ofapt-secure - to remove the need to rely on archives to be trusted. Withapt-secure, any update that does not match what the developer released simplywon't be installed. The 3.0r2 release was good proof of this - until Ireconfigured sources.list to use the 2003 master key for the release, aptsimply refused to touch it.

I am using apt-secure, but it's not part of stable. What's the real plan forapt-secure, will it be standard in the next major release? AFAIK, there aremany wrinkles to be ironed out...


Regards,
Camillo
--
Camillo Särs <+ged+@iki.fi>              **  Aim for the impossible and you
<http://www.iki.fi/+ged>                 **   will achieve the improbable.
PGP public key available                 **

Reply to:

Follow-Ups:
- Re: [sec] Time for apt-secure?
  - From: maximilian attems <debian@sternwelten.at>
- Possibly compromised ElGamal keys [was: Re: Time for apt-secure?]
  - From: Joshua Goodall <joshua@myinternet.com.au>
- Re: Time for apt-secure?
  - From: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>

Prev by Date: Re: More hacked servers?
Next by Date: Re: chkrootkit and lkm
Previous by thread: Re: strange reboot on woody
Next by thread: Re: [sec] Time for apt-secure?
Index(es):
- Date
- Thread