Re: concrete steps for improving apt downloading security and privacy
I saw that some of my concerns were mentioned there about obtaining and verifying installation media, MITM attacks, etc.
I have previously verified installation media via the methods described in the FAQ, downloading GPG keys, etc. and still
had an issue of having aptitude telling me that all available packages are from untrusted sources. (This was some years
ago when I had this issue)
I seem to remember being offered security updates for the kernel, OpenSSL, SSH, etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about installing security updates.
Maybe there should be written a document that describes in detail in easy to understand language what steps to take to
verify keys and verify that apt has not been compromised in an already installed system. And also verifying that GPG has not
It is the job of the NSA to be able to compromise systems. We should make that task as difficult as possible at every level
and also be able to easily verify that our system has not been corrupted.
I think having a good guide to checking your installed Debian system would be of use. Particularly useful would be instructions
to check to see if your system has been compromised by validating all already installed packages. MS Windows has an option
to check installed Windows components.