[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt-get security question



On Fri, Mar 07, 2003 at 10:08:59AM -0500, Bob Paige wrote:
> I am curious about how secure the apt-get system is; is it possible to 
> spoof a debian server and thus send compromised updates to a given machine?

Yes, since apt-get doesn't check signatures, yet.  Search the
debian-devel archives for the discussion that comes up every couple of
months.  There are signatures on http://security.debian.org/ that you
can manually verify, of course, and there are scripts out there that add
this functionality to apt-get.

-- 
Rob Weir <rweir@ertius.org>				http://ertius.org/

Attachment: pgpCcmux28LLw.pgp
Description: PGP signature


Reply to: