On 03/02/2021 21:50, Ramin Doe wrote:
> It's not entirely clear to me what the CIS guideline was expecting me to
> do. It says:
>
> Verify GPG keys are configured correctly for your package manager:
> # apt-key list
>
> Perhaps they want me to install apt-key, and use it to look at the
So after doing my reading and digging around a bit, I get a vague sense of
the pieces involved. I can see the various data files available on the
mirror site, that *could* be used to verify that all the files we receive
are what we'd expect to be getting, based on some initial data (a trusted
key)
>
> >This all sounds pretty promising! Thank you, Noah! Do you happen to
> know
> >how to access this metadata? I'd love to be able to look at it and
> >understand it better.
>
> See the signed InRelease files in /var/lib/apt/lists
>
Ah! I see some files here that are relevant to my se
On Thu, Jan 28, 2021 at 10:08:32AM -0800, Ramin Doe wrote:
> The signed metadata includes cryptographic checksums of the package
> contents. Thus, package contents can't be modified in storage on the
> mirror or in transit to your system without invalidating the checksum,
> and
Hi,
On 28/01/2021 19:08, Ramin Doe wrote:
> "Currently there are two different implementations for signing
> individual packages..."
> I think this is referring to the GPG signature verification mechanisms
> that are disabled by default. I'm happy to not try to not go down the
> route of enabling
On Wed, Jan 27, 2021 at 9:27 PM Noah Meyerhans wrote:
>
> The signed metadata includes cryptographic checksums of the package
> contents. Thus, package contents can't be modified in storage on the
> mirror or in transit to your system without invalidating the checksum,
> and the checksums can't
On Wed, Jan 27, 2021 at 10:23:44AM -0800, Ramin Doe wrote:
>This lead me to search for more answers online, where I have found an
>article that suggests that package metadata is verified, but that package
>contents are not.
>
> ([1]https://blog.packagecloud.io/eng/2014/10/28/howto-g
If this were an actual problem thousands of people would be having it.
Trust the force.
--
Jonathan
Sorry if this has been brought up before. If there's a prior discussion
anyone can point me to, I'd really appreciate it.
I am trying to set up a Debian 10 based server to host a web app that's
visible to the public. Putting some time into finding out best practices in
this situation, I came acros
9 matches
Mail list logo
