Re: security of apt
Erik Hjelmås wrote: > any pointers to material which may be relevant are greatly appreciated Check out [1]. Might be what you're interested in. [1]. http://monk.debian.net/apt-secure/ -- Alf B Lervåg
Re: security of apt
On Sun, Jan 25, 2004 at 06:19:28PM +0100, Horst Pflugstaedt wrote: > On Sun, Jan 25, 2004 at 04:12:59PM +0100, Erik Hjelm?s wrote: > > I've spent a few hours searching, what Im looking for is a discussion > > of different security aspects of apt, questions like > > - What are the possible threats in terms of ip spoofing, dns cache > > poisoning? (are there any solutions in terms of PKI (PGP) or similar > > discussed somewhere?) > > that issue is the same as for every web-based download. For apt < 0.6, this is true. In apt 0.6, all binary packages are authenticated using gnupg, and so network trust is not an issue. -- - mdz
Re: security of apt
On Sun, Jan 25, 2004 at 04:12:59PM +0100, Erik Hjelmås wrote: > Hi, > > I've spent a few hours searching, what Im looking for is a discussion > of different security aspects of apt, questions like > - What are the possible threats in terms of ip spoofing, dns cache > poisoning? (are there any solutions in terms of PKI (PGP) or similar > discussed somewhere?) that issue is the same as for every web-based download. apt-get relys on your sources.list which according to man sources.list currently knows entries for http, ftp, cd-rom and file. So apart from cd-rom, you ask for the security of http, ftp and i.e. nfs or any other remote-mountable filesystem. Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: security of apt
Erik Hjelmås wrote: > any pointers to material which may be relevant are greatly appreciated Check out [1]. Might be what you're interested in. [1]. http://monk.debian.net/apt-secure/ -- Alf B Lervåg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security of apt
On Sun, Jan 25, 2004 at 06:19:28PM +0100, Horst Pflugstaedt wrote: > On Sun, Jan 25, 2004 at 04:12:59PM +0100, Erik Hjelm?s wrote: > > I've spent a few hours searching, what Im looking for is a discussion > > of different security aspects of apt, questions like > > - What are the possible threats in terms of ip spoofing, dns cache > > poisoning? (are there any solutions in terms of PKI (PGP) or similar > > discussed somewhere?) > > that issue is the same as for every web-based download. For apt < 0.6, this is true. In apt 0.6, all binary packages are authenticated using gnupg, and so network trust is not an issue. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security of apt
On Sun, Jan 25, 2004 at 04:12:59PM +0100, Erik Hjelmås wrote: > Hi, > > I've spent a few hours searching, what Im looking for is a discussion > of different security aspects of apt, questions like > - What are the possible threats in terms of ip spoofing, dns cache > poisoning? (are there any solutions in terms of PKI (PGP) or similar > discussed somewhere?) that issue is the same as for every web-based download. apt-get relys on your sources.list which according to man sources.list currently knows entries for http, ftp, cd-rom and file. So apart from cd-rom, you ask for the security of http, ftp and i.e. nfs or any other remote-mountable filesystem. Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
security of apt
Hi, I've spent a few hours searching, what Im looking for is a discussion of different security aspects of apt, questions like - What are the possible threats in terms of ip spoofing, dns cache poisoning? (are there any solutions in terms of PKI (PGP) or similar discussed somewhere?) - If I need to automate a large site, is mirroring/proxying everything in sources.list and manually controlling this as a filter to the rest of the site the best solution? (assuming I can control cache poisoning attacks on my local network) I found some interesting disussion on adding 3-party sites on http://cert.uni-stuttgart.de/archive/debian/security/2004/01/msg00116.html and something also sort of related http://cert.uni-stuttgart.de/archive/debian/security/2003/09/msg00283.html any pointers to material which may be relevant are greatly appreciated /Erik
security of apt
Hi, I've spent a few hours searching, what Im looking for is a discussion of different security aspects of apt, questions like - What are the possible threats in terms of ip spoofing, dns cache poisoning? (are there any solutions in terms of PKI (PGP) or similar discussed somewhere?) - If I need to automate a large site, is mirroring/proxying everything in sources.list and manually controlling this as a filter to the rest of the site the best solution? (assuming I can control cache poisoning attacks on my local network) I found some interesting disussion on adding 3-party sites on http://cert.uni-stuttgart.de/archive/debian/security/2004/01/msg00116.html and something also sort of related http://cert.uni-stuttgart.de/archive/debian/security/2003/09/msg00283.html any pointers to material which may be relevant are greatly appreciated /Erik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]