Bob Paige said:But in your case, the maintainer put up some bogus packages.
I am curious about how secure the apt-get system is; is it possible to
spoof a debian server and thus send compromised updates to a given
machine?
If you have 3rd party apt sources in your sources.list it is very easy to spoof an update. Which is one reason I don't have 3rd party sources, a couple years back I had I think kde.tdyc.com for KDE updates on potato, and for some 4#!# reason whoever runs the mirror put a new version of SSH on there, I managed to catch it quickly when my SSH settings broke a few minutes later.
What I'm really thinking about is the appropriateness of using Debian for a Linux-based appliance. At my work they have Linux appliances, but they are always based on RedHat. I would think the apt-get functionality would be much more reliable than RPM-hell.
In the debian-appliance scenario I don't think you'd want to use the standard debian sources. Rather, you'd want to control them, for example the manufacturer of the appliance could run a server of approved/tested updates. That way we could provide application updates in addition to security updates to a customer box.
So, what is the chance that someone could spoof access to an update server? Does apt-get provide some sort of security (i.e. ssh connection to the server, or digital signatures on the packages)?
Doesn't apt_preferences do this? I've only used it a little bit.it would be nice if there was a setting to set priority to certain sites. e.g. do not update ANY packages that are installed unless they come from X site. or maybe better, ONLY allow X packages to be installed from this mirror.
Or if the number of packages to install is small enough, just download them and install them.when I do need 3rd party sources I add them, do the update/install carefully then remove them and run update again so the cache is flushed.
-- Bobman
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
