[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
One place that this will help a lot is managing completely offline machines,
like machines for running secure build and signing processes.  Right now, in
order to install a package securely on an offline machine, I have to make sure
that the apt-get cache is no older than two weeks, otherwise apt-get considers
the info expired and no longer trusted.  It make sense to have a listing of
packages and updates expire.  It does not make sense to have the signature on
an individual package expire.  Debian does not provide the later option.

Or, you could make use of the Check-Valid-Until and Min-ValidTime options in apt.conf. There's a reason things are done the way they are, and you probably aren't going to find a lot of interest in getting people to do a lot of work to create a system which is duplicative at best and less secure at worst.

Mike Stone

Reply to: