[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

On Wed, Jul 09, 2014 at 10:24:18PM -0600, Kitty Cat wrote:
I seem to remember being offered security updates for the kernel, OpenSSL, SSH,
etc. where my only option was to download
untrusted packages. I would get warning messages from aptitude about installing
security updates.

Probably a configuration error. This should be rare with the current defaults, and would be worth a question before proceeding to install untrusted packages.

Maybe there should be written a document that describes in detail in easy to
understand language what steps to take to
verify keys and verify that apt has not been compromised in an already
installed system. And also verifying that GPG has not
been compromised.

You can't. There's a long answer, but the short answer is that it isn't practically possible.

of use. Particularly useful would be instructions
to check to see if your system has been compromised by validating all already
installed packages. MS Windows has an option
to check installed Windows components.

Which is useless in real-world terms. If it wasn't, we wouldn't see windows botnets.

Mike Stone

Reply to: