Package: apt
Version: 0.3.19
Severity: wishlist
I am very security conscious, and I do know that apt-get/dpkg is checking
md5sums based on those listed in /var/lib/dpkg/available.
However, I have two features that I think would be nice for those of us who
are paranoid about making sure we are really downloading the binaries that
the developer installed.
(0) It would be great if apt-get had a "security verbosity" flag. I just
get a good feeling when I see something like:
m5sum from /var/lib/dpkg/available: xxxxxxx
m5sum from foo.deb: xxxxxxx
MATCH!
(1) It would be great if the package list (i.e., /var/lib/dpkg/available)
were somehow GPG signed by someone on the Debian keyring, and if the
user used --with-gpg or some such option, that signature was checked
each time `apt-get update' was run.
And, related to (0), if `apt-get update' said something like (when
"security verbosity" was turned on)
GPG signature of Foobar checked and is valid on Packages file from xxx
-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux atheist 2.2.14 #8 Tue Jan 11 21:25:15 EST 2000 i586
Versions of packages apt depends on:
ii libc6 2.1.3-10 GNU C Library: Shared libraries an
ii libstdc++2.10 1:2.95.2-4 The GNU stdc++ library
--
Bradley M. Kuhn - http://www.ebb.org/bkuhn
Attachment:
pgpddWg_YZYvn.pgp
Description: PGP signature