Re: apt-get security question

To: <debian-user@lists.debian.org>
Subject: Re: apt-get security question
From: "nate" <debian-user@aphroland.org>
Date: Fri, 7 Mar 2003 09:30:58 -0800 (PST)
Message-id: <[🔎] 50219.10.10.10.7.1047058258.squirrel@webmail.linuxpowered.net>
In-reply-to: <[🔎] 3E68B60B.2060207@Iname.com>
References: <[🔎] 3E68B60B.2060207@Iname.com>

Bob Paige said:
> I am curious about how secure the apt-get system is; is it possible to
> spoof a debian server and thus send compromised updates to a given
> machine?

If you have 3rd party apt sources in your sources.list it is very
easy to spoof an update. Which is one reason I don't have 3rd party
sources, a couple years back I had I think kde.tdyc.com for KDE updates
on potato, and for some 4#!# reason whoever runs the mirror put a new
version of SSH on there, I managed to catch it quickly when my SSH
settings broke a few minutes later.

it would be nice if there was a setting to set priority to certain
sites. e.g. do not update ANY packages that are installed unless they
come from X site. or maybe better, ONLY allow X packages to be installed
from this mirror.

when I do need 3rd party sources I add them, do the update/install
carefully then remove them and run update again so the cache is
flushed.

nate

Reply to:

Follow-Ups:
- Re: apt-get security question
  - From: Bob Paige <bobman@Iname.com>

References:
- apt-get security question
  - From: Bob Paige <bobman@Iname.com>

Prev by Date: Re: Postfix Log Analyser
Next by Date: Re: Orinocco Silver and wep encryption.
Previous by thread: apt-get security question
Next by thread: Re: apt-get security question
Index(es):
- Date
- Thread