[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#203741: apt-secure

On Tue, 9 Sep 2003, Matt Zimmerman wrote:

> > This is also why you sign off on the security at update time, because even
> > a single insecure or rough site can have very interesting effects on the
> > meta data within the cache. The retry algorithms are just one interesting
> > effect that's possible..
 
> Argh, this is a show-stopper I think.  So there's no real security unless
> every one of your sources is authenticated.  The whole system is only as
> strong as the weakest link, and if you have any insecure source, it
> compromises all of your available packages.  That's the reasoning behind the
> confirmation prompt.  But if it's impossible to tell reliably where a
> package comes from, I don't see how it can work.

APT can't sandbox things based on origin, which is the problem here.

The user is ultimately responsible for ensuring that their sources.list
contains sites they trust. The authentication mechanism is _only_ to
secure the network/mirrors - nothing more. Think of it as you think of
SSL/TLS. The problem we are trying to solve is to prevent man in the
middle and rouge mirrors from doing nasty things. 

Even if I put in some random unoffical url that's signed I _still_ need to
be wary about the content! 

Jason
Reply to: