Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes

To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Cc: team@security.debian.org, "APT Development Team" <deity@lists.debian.org>, 499897@bugs.debian.org, "Debian FTP Master" <ftpmaster@ftp-master.debian.org>
Subject: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Mon, 19 Jan 2009 12:58:13 +0100 (CET)
Message-id: <[🔎] 295e4e8392f4341258da36873f0de82d.squirrel@wm.kinkhorst.nl>
In-reply-to: <[🔎] 49746858.8060609@gmail.com>
References: <[🔎] 49627ED6.2090605@gmail.com> <[🔎] 8763kgjm4j.fsf@mid.deneb.enyo.de> <[🔎] 496FAC84.8010307@gmail.com> <[🔎] 200901172024.55733.thijs@debian.org> <[🔎] 49746858.8060609@gmail.com>

I've removed some CC's.

On Mon, January 19, 2009 12:47, Eugene V. Lyubimkin wrote:
> 1) insert apt-transport-https and all its deps into base system (libcurl,
>  kerberos etc.)

I'm not sure if we need kerberos for this to work. Just like apt uses a
small version of gnupg to verify signatures, we can use a small version of
the https transport that satisfies our needs?

> 2) Release and Release.gpg, installed on
> security.debian.org, should be somehow synchronized with at least all
> official Debian mirrors, I don't know how hard it would be to insert this
> move into archive infrastructure (ftp masters CC'ed)
> 3) needs some hardcoded black magic in APT - if user has an entry

I think it's essential to note that the scheme is in principle only
required for the security mirrors, because the attack scenario is based on
withholding security updates. As we fully control the security mirrors, I
think we need not consider mirrors to solve the problem adequately, and
have a reliable way to know which sources.list entry it applies to.

cheers,
Thijs

Reply to:

Follow-Ups:
- Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

References:
- Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
- Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
- Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
  - From: Thijs Kinkhorst <thijs@debian.org>
- Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
  - From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

Prev by Date: Re: [rosea.grammostola@gmail.com: Re: [Aptitude-devel] [aptitude-gtk] errors]
Next by Date: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Previous by thread: Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Next by thread: Re: Pre-approval for apt 0.7.21: 'Valid-Until' feature and proxy changes
Index(es):
- Date
- Thread