Signed packages?
Signed packages?
Posted Nov 7, 2003 21:50 UTC (Fri) by EricBackus (guest, #2816)Parent article: Time to move from Red Hat to Debian?
Last time I looked (yes, awhile ago now), one thing that was missing from Debian was signed packages. On RedHat or SuSE, packages are cryptographically signed so I can be confident of their origin. On Debian, that wasn't even possible, I believe due to limitations of the .deb format.
Has that changed? For me, it's a show stopper.
With the proliferation of viruses, trojans, and even attempts at getting security holes into the kernel, it is simply not acceptable to download a package and run it without some assurance that I know who put the package together. I really don't understand how so many people can find this OK.
Signed packages?
Posted Nov 8, 2003 0:03 UTC (Sat)
by liamh (guest, #4872)
[Link] (1 responses)
Almost all packages are signed, though apparently policy doesn't require it yet. Check with debsums.
Posted Nov 8, 2003 0:03 UTC (Sat) by liamh (guest, #4872) [Link] (1 responses)
Signed packages?
Posted Nov 9, 2003 6:43 UTC (Sun)
by EricBackus (guest, #2816)
[Link]
> Almost all packages are signed, though apparently Posted Nov 9, 2003 6:43 UTC (Sun) by EricBackus (guest, #2816) [Link]
> policy doesn't require it yet. Check with debsums.
OK, good. So I assume that apt-get automatically rejects (or at least *can* reject)
packages that aren't signed by somebody it recognises as legitimate?