Re: defence against the dark arts

To: debian-user@lists.debian.org
Subject: Re: defence against the dark arts
From: Tom <tb.31123.nospam@comcast.net>
Date: Sat, 6 Dec 2003 07:36:22 -0800
Message-id: <[🔎] 20031206153622.GA5987@comcast.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20031206151320.GC17591@pooq.com>
References: <[🔎] 20031206151320.GC17591@pooq.com>

On Sat, Dec 06, 2003 at 10:13:20AM -0500, hendrik@pooq.com wrote:
> I've occasionally wondered about upgrading from servers, which may
> have been conmpromised...  What if the package-upgrader had an option
> to wait a week after downloading to actually perform the upgrade?  Then
> there would be an opportunity to cancel the upgrade in case news of
> compromise got out.  Of course, it would not help against undetected
> compromises...

You could do that yourself with some scripts.

(1) Switch to a sources.list that includes the "real servers."
(2) apt-get update; apt-get upgrade --download-only
(3) Move the .debs from /var/cache/apt/archives to a quarantine dir
(4) ls quarantine > $THE_DATE.list

Then in a cron job or something rotate in the files into your local 
apt-archive; run dpkg-scanpackages to update your archive, switch to a 
sources.list that just has the local mirror, apt-get update; and apt-get 
upgrade.

I should probably write something like this for myself.

Is it possible to have two different sets of sources.list and tell the 
tools which to use, so I wouldn't have to switch?

Reply to:

References:
- defence against the dark arts
  - From: hendrik@pooq.com

Prev by Date: defence against the dark arts
Next by Date: Re: Cheap PC / unknown components. ALDI/Medion MD 8080 XL anyone?
Previous by thread: defence against the dark arts
Next by thread: Re: bcm4400 source for nic .deb file
Index(es):
- Date
- Thread