On Thu, Aug 07, 2014 at 12:44:16AM +0200, Jakub Wilk wrote: > * David Kalnischkies <david@kalnischkies.de>, 2014-07-26, 15:25: > >You don't need to write your credentials in a sources.list anymore (which > >should be world-readable) if your apt is recent enough (and with recent I > >mean at least oldstable). You can populate a netrc-like file at > >/etc/apt/auth.conf with them (create it if you must and set for it the > >permissions to your liking!). > > netrc was designed back when all the protocols were equally resistant to > password sniffing (that is, not at all). But these days people most likely > don't want to send their password in clear text, and the netrc-like password > file doesn't really help with that. Well, FTP/HTTP and secrecy aren't exactly buddies. So, people want to otherwise they would use client-certificates with HTTPS. Or they could do SSH – this method is installed by default (but I have to say: I have never tried it so far). That was at least my naive response back in the days this netrc-like feature was requested/added… So yes, this really only solves the problem I advertised it for (world- readable sources.list). It doesn't stop MITM attacks and is also not a cure for cancer… (not implying that either is solved by HTTPS/SSH). I just don't understand where you got the idea apt could change that. APT is just a client here. If you want to change anything, you have to change the server… Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature