Re: apt-get security question

To: <debian-user@lists.debian.org>
Subject: Re: apt-get security question
From: "nate" <debian-user@aphroland.org>
Date: Fri, 7 Mar 2003 12:06:52 -0800 (PST)
Message-id: <[🔎] 51595.10.10.10.7.1047067612.squirrel@webmail.linuxpowered.net>
In-reply-to: <[🔎] 3E68EB6B.7050200@Iname.com>
References: <[🔎] 3E68B60B.2060207@Iname.com> <[🔎] 50219.10.10.10.7.1047058258.squirrel@webmail.linuxpowered.net> <[🔎] 3E68EB6B.7050200@Iname.com>

Bob Paige said:
>
> But in your case, the maintainer put up some bogus packages.
>
> What I'm really thinking about is the appropriateness of using Debian  for
> a Linux-based appliance. At my work they have Linux appliances, but  they
> are always based on RedHat. I would think the apt-get functionality  would
> be much more reliable than RPM-hell.
>
> In the debian-appliance scenario I don't think you'd want to use the
> standard debian sources. Rather, you'd want to control them, for example
> the manufacturer of the appliance could run a server of approved/tested
> updates. That way we could provide application updates in addition to
> security updates to a customer box.
>
> So, what is the chance that someone could spoof access to an update
> server? Does apt-get provide some sort of security (i.e. ssh connection
> to the server, or digital signatures on the packages)?

apt stores/checks(I think) MD5sums of packages(not sure if all of them
have MD5sums or not). It's real easy to setup your own debian mirror
I had 2 at my last employer, we had about 45 debian systems in 2
states. Made updates and installs lightning fast :) There are no
digital signatures on the packages themselves as far as I know,
nor is there a publically available archive accessable via some sort
of encryption method.

debian is very ideal for appliances, many existing linux appliances
are based on debian from what I have seen. Probably mostly due to
the high QA quality of the debian project. Check out www.linuxdevices.com
they list most(all?) known linux embedded devices..

my grandfather's ThinkNIC internet appliance is based on debian as
well though there is no dpkg or apt on it, its REAAAALY stripped down.

though since apt-get uses simple ftp and http you can easily
tunnel these accross a vpn or in the case of http, accross stunnel
as well. One of the things I love about linux(and unix to a lesser
extent) is how well the different tools can work together extending
the functionality of existing software without modifying the
existing software in any way. I use stunnel now to encrypt LDAP and
MySQL connections.

All in all I'd strongly reccomend debian over redhat, the packages
are much more fine grained(many apps are split up into many many
different packages depending on the functionality you need), the
high QA quality, the long release cycles, the "reputation" for
the "stable" tree for being "stable", etc..

you can even use dpkg-repack to backup existing packages before upgrading,
though downgrading a package is not always foolproof, at least you'd
have a copy of the most recent version of the package.

nate

Reply to:

References:
- apt-get security question
  - From: Bob Paige <bobman@Iname.com>
- Re: apt-get security question
  - From: "nate" <debian-user@aphroland.org>
- Re: apt-get security question
  - From: Bob Paige <bobman@Iname.com>

Prev by Date: Re: apt-get security question
Next by Date: Re: Installer Woes
Previous by thread: Re: apt-get security question
Next by thread: Re: apt-get security question
Index(es):
- Date
- Thread