Bob Paige said: > I am curious about how secure the apt-get system is; is it possible to > spoof a debian server and thus send compromised updates to a given > machine?
If you have 3rd party apt sources in your sources.list it is very easy to spoof an update. Which is one reason I don't have 3rd party sources, a couple years back I had I think kde.tdyc.com for KDE updates on potato, and for some 4#!# reason whoever runs the mirror put a new version of SSH on there, I managed to catch it quickly when my SSH settings broke a few minutes later. it would be nice if there was a setting to set priority to certain sites. e.g. do not update ANY packages that are installed unless they come from X site. or maybe better, ONLY allow X packages to be installed from this mirror. when I do need 3rd party sources I add them, do the update/install carefully then remove them and run update again so the cache is flushed. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
