LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Signed packages?

Signed packages?

Posted Nov 7, 2003 21:50 UTC (Fri) by EricBackus (guest, #2816)
Parent article: Time to move from Red Hat to Debian?

Last time I looked (yes, awhile ago now), one thing that was missing from Debian was signed packages. On RedHat or SuSE, packages are cryptographically signed so I can be confident of their origin. On Debian, that wasn't even possible, I believe due to limitations of the .deb format.

Has that changed? For me, it's a show stopper.

With the proliferation of viruses, trojans, and even attempts at getting security holes into the kernel, it is simply not acceptable to download a package and run it without some assurance that I know who put the package together. I really don't understand how so many people can find this OK.

(Log in to post comments)

Signed packages?

Posted Nov 8, 2003 0:03 UTC (Sat) by liamh (subscriber, #4872) [Link]

Almost all packages are signed, though apparently policy doesn't require it yet. Check with debsums.

Signed packages?

Posted Nov 9, 2003 6:43 UTC (Sun) by EricBackus (guest, #2816) [Link]

> Almost all packages are signed, though apparently
> policy doesn't require it yet. Check with debsums.

OK, good. So I assume that apt-get automatically rejects (or at least *can* reject)
packages that aren't signed by somebody it recognises as legitimate?

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds