Re: concrete steps for improving apt downloading security and privacy

[Michael Stone <mstone@debian.org>]

On Mon, Jul 14, 2014 at 12:45:38PM -0400, Hans-Christoph Steiner wrote:
> One place that this will help a lot is managing completely offline machines,
> like machines for running secure build and signing processes.  Right now, in
> order to install a package securely on an offline machine, I have to make sure
> that the apt-get cache is no older than two weeks, otherwise apt-get considers
> the info expired and no longer trusted.  It make sense to have a listing of
> packages and updates expire.  It does not make sense to have the signature on
> an individual package expire.  Debian does not provide the later option.

Or, you could make use of the Check-Valid-Until and Min-ValidTime 
options in apt.conf. There's a reason things are done the way they are, 
and you probably aren't going to find a lot of interest in getting 
people to do a lot of work to create a system which is duplicative at 
best and less secure at worst.

Mike Stone