[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

On 07/06/2014 10:31 PM, Lou RUPPERT wrote:
> Joel Rees:
>> On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT
>> <himself@louruppert.com> wrote:
>> As someone pointed out, verifying the mirror we've connected to is
>> not useful when we don't particularly have, or want, a way to
>> prevent a spook-owned mirror from joining the pool.
> OK so supposing the NSA offers its own mirror. The package
> installation process verifies PGP signatures. What is the actual
> scenario you're trying to prevent?

apt repositories are great because the users do not have to rely on the
servers that host the repositories in order to know that they packages are
authentic and unmodified.

Tor provides the same resilience in terms of privacy.  If apt-get is accessing
the NSA mirror using Tor, then even the NSA will not be able to see the IP
address of the computer that is downloading from that mirror.  And as long as
apt does not leak much metadata, it would be quite difficult for the NSA to
de-anonymize that connection.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: