[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories



On Thu, Aug 07, 2014 at 12:44:16AM +0200, Jakub Wilk wrote:
> * David Kalnischkies <david@kalnischkies.de>, 2014-07-26, 15:25:
> >You don't need to write your credentials in a sources.list anymore (which
> >should be world-readable) if your apt is recent enough (and with recent I
> >mean at least oldstable). You can populate a netrc-like file at
> >/etc/apt/auth.conf with them (create it if you must and set for it the
> >permissions to your liking!).
> 
> netrc was designed back when all the protocols were equally resistant to
> password sniffing (that is, not at all). But these days people most likely
> don't want to send their password in clear text, and the netrc-like password
> file doesn't really help with that.

Well, FTP/HTTP and secrecy aren't exactly buddies. So, people want to
otherwise they would use client-certificates with HTTPS. Or they could
do SSH – this method is installed by default (but I have to say: I have
never tried it so far). That was at least my naive response back in the
days this netrc-like feature was requested/added…

So yes, this really only solves the problem I advertised it for (world-
readable sources.list). It doesn't stop MITM attacks and is also not
a cure for cancer… (not implying that either is solved by HTTPS/SSH).
I just don't understand where you got the idea apt could change that.
APT is just a client here. If you want to change anything, you have to
change the server…


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


Reply to: