Re: concrete steps for improving apt downloading security and privacy
On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
One place that this will help a lot is managing completely offline machines,
like machines for running secure build and signing processes. Right now, in
order to install a package securely on an offline machine, I have to make sure
that the apt-get cache is no older than two weeks, otherwise apt-get considers
the info expired and no longer trusted. It make sense to have a listing of
packages and updates expire. It does not make sense to have the signature on
an individual package expire. Debian does not provide the later option.
Or, you could make use of the Check-Valid-Until and Min-ValidTime
options in apt.conf. There's a reason things are done the way they are,
and you probably aren't going to find a lot of interest in getting
people to do a lot of work to create a system which is duplicative at
best and less secure at worst.