* Bob Paige <bobman@Iname.com> [20030307 11:53 PST]: > So, what is the chance that someone could spoof access to an update > server? Does apt-get provide some sort of security (i.e. ssh connection > to the server, or digital signatures on the packages)? You can use signed packages for something like this. AFAIK, the infrastructure is there, it just hasn't been deployed for the debian package repositories. Your client can use debsig-verify to only accept packages which have been signed by your key. > Or if the number of packages to install is small enough, just download > them and install them. I was thinking this, too: RPM vs apt-get is not the only reason why debian is better than redhat! Even if you decide not to use apt for system updates, you can still base your system on debian, and work out some other system for updates, or just download and install the debs one by one, a la rpm. good times, Vineet -- http://www.doorstop.net/ -- http://www.eff.org/
Attachment:
signature.asc
Description: Digital signature