Package: apt Version: 0.3.19 Severity: wishlist I am very security conscious, and I do know that apt-get/dpkg is checking md5sums based on those listed in /var/lib/dpkg/available. However, I have two features that I think would be nice for those of us who are paranoid about making sure we are really downloading the binaries that the developer installed. (0) It would be great if apt-get had a "security verbosity" flag. I just get a good feeling when I see something like: m5sum from /var/lib/dpkg/available: xxxxxxx m5sum from foo.deb: xxxxxxx MATCH! (1) It would be great if the package list (i.e., /var/lib/dpkg/available) were somehow GPG signed by someone on the Debian keyring, and if the user used --with-gpg or some such option, that signature was checked each time `apt-get update' was run. And, related to (0), if `apt-get update' said something like (when "security verbosity" was turned on) GPG signature of Foobar checked and is valid on Packages file from xxx -- System Information Debian Release: potato Architecture: i386 Kernel: Linux atheist 2.2.14 #8 Tue Jan 11 21:25:15 EST 2000 i586 Versions of packages apt depends on: ii libc6 2.1.3-10 GNU C Library: Shared libraries an ii libstdc++2.10 1:2.95.2-4 The GNU stdc++ library -- Bradley M. Kuhn - http://www.ebb.org/bkuhn
Attachment:
pgpddWg_YZYvn.pgp
Description: PGP signature