<br /> Security with apt – Debian Planet

Welcome to Debian Planet

News for Debian. Stuff that *really* matters

These are important Debian sites one should not be without!

  • Official Debian site
  • Package search
  • Mailing list archives
  • Bug reports
  • Debian on CD
  • Debian Weekly News — excellent news source!
  • Unofficial APT sources

  • Developers’ Corner
  • Community
    Need help? You’re not alone on this planet.

  • debianHELP
    (User support site)

  • Debian International
  • DebianForum.de

  • DebianForum.dk

  • EsDebian

  • DebianWorld

  • Debian-Fr

  • MaximumDebian

  • DebianUsers

  • Debian-BR

  • DebianHOWTO (Deutsch)
  • Russian Debian
  • Contribute
    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you’ve written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    General feedback should be sent to staff@debianplanet.org

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.oftc.net.

    Many of the Debian Planet staff live there so pop by and say hello.

    Debian Planet also has its own channel on the same network called #debianplanet.


    DP is sponsored by Xinit Systems.

    Domains paid for and hosted by uklinux.net.

    Buy your Debian merchandise at DebianShop.com.

    Support Debian through Bytemark Hosting. At least £7 will be given for each new account


    Security with apt
    Submitted by wyrmBait on Monday, April 08, 2002 – 15:28
    While reading this article over at Slashdot.org about the potential insecurity of creating a Single Point of Ownership, I couldn’t help notice the similarities between the offending program and our beloved apt. How secure is the protocol that apt uses? How resistant to attack are the Debian package servers? Is there any code signing done when a package is downloaded?

    I know I could get the answer to most of these from the source code, but I suspect the answers already, and would bring the question to the attention of more involved parties. Despite the fact that there are myriad package mirrors, many people (myself included) simply point apt to the main server, and, in any case, a package subverted in an attack on a main server could quickly propagate to the mirrors if it went undetected.

    IMHO, this is an issue that has been overlooked for some time is the context of open source, since the code is always there for inspection. The situation of automated updates does change things, though, and might require a re-examination of how much we trust pre-compiled code.

    Am I just being alarmist, or is this something that will have to be addressed in the development of Debian?

    Control panel

    Comment viewing options:

    Select your prefered way to display the comments and click ‘Update settings’ to activate your changes.

    Subject: signing packages with keys from website and/or .iso
    Author: kipple
    Date: Tuesday, 2002/04/09 – 12:21
    IMHO the security for the packages should be extended by using crypto and public key signing:
    1. the public key should be available on the website AND in every debian distro, so if the .iso are compromised we could always rely on the public key on the website, and vice versa;
    2. apt- should automatically check the sig for the packages using the pre-installed key and compare it with the key obtained from the website
    3. in this way if the website and/or any of the mirror are compromised, the debian community will notice it in very little time
    4. this could also lead to a better organization of packages, marking them as ‘approved by debian’. I know it could lead to discussion about ‘why was my package rejected?’, but still will centralize things

    ..those are just ideas, the methods could be discussed. I just would like to know if this makes sense or not


    [ return ]


    Subject: Signing should be done with GPG and public keys …
    Author: Anonymous
    Date: Tuesday, 2002/04/09 – 13:22
    …should be found in PGP-keyservers and therefore be themselves digitally signed with somone’s GPG public key which is known to the system. So one absolutely non-NSA-compromised known person’s GPG public key (keylenght >4096 bits) should come with the distribution and be found on mirror sites.

    [ Please login, or register ]

    Search articles

    ·News (213)
    ·Features (3)
    ·Site News (9)
    ·HOWTOs (42)
    ·Tips (8)
    ·Opinion (12)
    ·Q & A (18)
    ·Sponsorship (1)

    Log in


    Remember me

    » Register
    » New password

    Debian Security Announcements
    DSA-402 minimalist
    DSA-401 hylafax
    DSA-400 omega-rpg
    DSA-399 epic4
    DSA-398 conquest
    DSA-397 postgresql
    DSA-396 thttpd
    DSA-395 tomcat4
    DSA-394 openssl095
    DSA-393 openssl

    Latest poll: Should deb files have built-in signatures (similar to rpm)?
    Yes, existing Release signatures are not sufficient
    Yes, these would be nice even though we already have Release signatures
    Yes, but what’s a Release signature?
    No, existing Release signatures are sufficient
    No, don’t know/care

    home · archives · news feeds · about · polls · search · sections · user account

    Powered by the amazing Drupal

    Debian Planet is not officially related to the Debian Project.
    Debian and the Debian logo are trademarks of Software in the Public Interest, Inc.