Using apt on a security relevant system (esp: PGP/GPG, scp, perl)
Hi,
I recently learned "by accident" that apt depends on perl. In the
future, I will be working on a security relevant system, would like to
use apt for centralized updates but wouldn't want to have perl on that
system. Thus, I would like to learn how vital perl is for apt. As I
can see, apt-get is a binary.
Supposed that I use equivs to build a fake perl package that Provides:
perl, but doesn't actually include any perl binary: Which parts of apt
will still be useable, which parts will fail to work? Has this been
tried in the past?
On a second thought, I might ask one more question: It is planned to
have scp as a apt method of getting new packages? That way, it could
be verified (via the host key) that new packages are indeed coming
from our central update server. Is there any infrastructure to check
MD5 signatures or PGP signatures of new packages against a known good
source (like a CD-ROM) before installation?
Any hints will be appreciated.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Reply to: