Bug#515940: is secure-apt used in ALL places?

To: Debian BTS <submit@bugs.debian.org>
Subject: Bug#515940: is secure-apt used in ALL places?
From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
Date: Wed, 18 Feb 2009 13:27:24 +0100
Message-id: <[🔎] 20090218132724.58842tkpszp73cu8@webmail.physik.uni-muenchen.de>
Reply-to: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, 515940@bugs.debian.org

Package: apt
Version: 0.7.20.2
Severity: wishlist


Hi.

This is perhaps more a question but depending on the answer it willbecome a wishlist bug ;)


Is secure apt used in all places of apt?

Of course it is when installing/upgrading new packages (i.e. apt-getinstall,upgrade,dist-upgrade,build-dep)


What about apt-get source? Are the source package parts checked? Each of them?

And in general,... are packages checked after downloading, or beforeinstalling.I mean,.. e.g. the packages in /var/cache/apt/archives/ are theysecured/checked, and could I use (e.g. dpkg -i) them manually... orare they only checked when actually used (e.g. installed) by apt?

What about apt-cache? E.g. when doing package searches or displayingpackage descriptions?

Now that MD5 seems to be really broken,... does apt-get still use theMD5 hashes?If so, this should be disabled and _ONLY_ newer hashes should be used(e.g. SHA512).

If not present, the package should be considered invalid.


Thanks,
Chris.


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:

ii debian-archive-keyring 2009.01.31 GnuPG archive keys of theDebian a

ii  libc6                         2.7-18     GNU C Library: Shared libraries
ii  libgcc1                       1:4.3.3-4  GCC support library
ii  libstdc++6                    4.3.3-4    The GNU Standard C++ Library v3

apt recommends no packages.

Versions of packages apt suggests:
ii  apt-doc                      0.7.20.2    Documentation for APT
ii  aptitude                     0.4.11.11-1 terminal-based package manager

ii bzip2 1.0.5-1 high-qualityblock-sorting file co

ii  dpkg-dev                     1.14.25     Debian package development tools

ii lzma 4.43-14 Compression method of 7zformat in

ii  python-apt                   0.7.8       Python interface to libapt-pkg

-- no debconf information

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply to:

Prev by Date: Bug#489857: clunky workaround
Next by Date: Re: I'm leaving APT project
Previous by thread: Bug#489857: clunky workaround
Next by thread: Bug#516061: apt-cache search responds "E: You must give exactly one pattern" but accepts multiple strings
Index(es):
- Date
- Thread