jm + apt-get   2

Attacks against GPG signed APT repositories - Packagecloud Blog

It is a common misconception that simply signing your packages and repository metadata with GPG is enough to create a secure APT repository. This is false. Many of the attacks outlined in the paper and this blog post are effective against GPG-signed APT repositories. GPG signing Debian packages themselves does nothing, as explained below. The easiest way to prevent the attacks covered below is to always serve your APT repository over TLS; no exceptions.

This is excellent research. My faith in GPG sigs on packages is well shaken.
apt  security  debian  packaging  gpg  pgp  packages  dpkg  apt-get  ops 
12 days ago by jm
A Continuous Packaging Pipeline
presentation describing some nice automation tools for packaging vendor code for deployment
deployment  fosdem  presentations  slides  debian  deb  fpm  apt-get 
february 2013 by jm

Copy this bookmark: