* merged with michael.vogt@ubuntu.com--2005/apt--mvo--0 to be in sync with debian

Patches applied: * michael.vogt@ubuntu.com--2005/apt--bts225947--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-79 * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-1 * merged with mainline and apt--fixes--0 * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-2 * patch from aj (slighly modified to use auto_ptr<>) applied * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-3 * changelog updated * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-4 * work for arch=all packages too now * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-5 * merged with apt--main--0 * michael.vogt@ubuntu.com--2005/apt--bts225947--0--patch-6 * fixed a incorrect po/he.po merge * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-7 * fixed incorrect man-page example * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-8 * changelog udpate * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-9 * we only need to check once for xmlto * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-10 * fix a bug in a man-page, fix a problem with overly long lines in apt-cdrom * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-11 * merged with apt--main--0 * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-12 * fix a incorrect error message (it always added .gz regardless what was downloaded) * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-13 * merged with main * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-14 * added Hashsum support for file and cdrom * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-15 * added README.arch * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-16 * merged with main * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-17 * move the changelog to the right place * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-18 * Change pkgPolicy::Pin from private to protected * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-19 * added a default constructor for PrvIterator * michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-20 * applied otavios patch to reread the statusFile on debSystem::Initialize * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-33 * merged with matt's tree * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-34 * merged with matts tree * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-35 * build debian and ubuntu package from the same source * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-36 * added debian/patches dir * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-37 * fix the breakage from my last commit (note to self: always, _always_ run baz diff before a commit) * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-38 * removed the lsb_release build patch (nobody except me seems to like it) * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-39 * merged from main * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-40 * merged the apt--sane-handle-timeout--0 branch * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-41 * merged apt--bts225947--0 * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-42 * merged with apt--main * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-43 * added patch that adds a apt-secure man-page (thanks to jfs@computer.org) * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-44 * added author credits * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-45 * added apt-ftparchive.conf example * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-46 * corrected the utf8 of javier fernandes pena * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-47 * improve the timeout handling (again) * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-48 * merged with apt--fixes--0 * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-49 * README.arch updates, comment in apt-pkg/algorithm.h added, apt-pkg/cacheiterators.h order in initlist changed to remove warning * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-50 * meda-change message is send over status-fd now * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-51 * include a human readable string for the MediaChange status-fd message as well * michael.vogt@ubuntu.com--2005/apt--mvo--0--patch-52 * finalizing changelog * michael.vogt@ubuntu.com--2005/apt--sane-handle-timeout--0--base-0 tag of apt@packages.debian.org/apt--main--0--patch-87 * michael.vogt@ubuntu.com--2005/apt--sane-handle-timeout--0--patch-1 * report timeouts (from Connect) and fail if they happen in pkgAcqMetaSig * michael.vogt@ubuntu.com--2005/apt--sane-handle-timeout--0--patch-2 * merged with the fixes branch to make it build again * michael.vogt@ubuntu.com--2005/apt--sane-handle-timeout--0--patch-3 * merged with main * otavio@debian.org--2005/apt--fixes--0--patch-28 Reread status configuration, needed for clients using independent apt ...
author: Michael Vogt <michael.vogt@ubuntu.com> 2005-09-06 09:51:40 +0000
committer: Michael Vogt <michael.vogt@ubuntu.com> 2005-09-06 09:51:40 +0000
commit: 09af1a917c739e50e4e8590cc8402525b3f1f64d (patch)
tree: aae9b5e6b75920dd1c43afab0da590e4de11976e /doc/apt-secure.8.xml
parent: f8ad6f9b0dbcef95d3bbbe6481d3e10e9ed684d0 (diff)
parent: b8b1131a7d349db52a34a8cd6dd1872aebd50885 (diff)
1 files changed, 209 insertions, 0 deletions
diff --git a/doc/apt-secure.8.xml b/doc/apt-secure.8.xml
new file mode 100644
index 000000000..e22446030
--- /dev/null
+++ b/doc/apt-secure.8.xml
@@ -0,0 +1,209 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+<!ENTITY % aptent SYSTEM "apt.ent">
+%aptent;
+
+]>
+
+<refentry>
+ &apt-docinfo;
+ 
+ <refmeta>
+   <refentrytitle>apt-secure</refentrytitle>
+   <manvolnum>8</manvolnum>
+ </refmeta>
+
+<!-- NOTE: This manpage has been written based on the
+     Securing Debian Manual ("Debian Security
+     Infrastructure" chapter) and on documentation
+     available at the following sites:
+     http://wiki.debian.net/?apt06
+     http://www.syntaxpolice.org/apt-secure/
+     http://www.enyo.de/fw/software/apt-secure/
+-->
+<!-- TODO: write a more verbose example of how it works with 
+     a sample similar to 
+     http://www.debian-administration.org/articles/174
+     ?
+--> 
+
+ 
+ <!-- Man page title -->
+ <refnamediv>
+    <refname>apt-secure</refname>
+    <refpurpose>Archive authentication support for APT</refpurpose>
+ </refnamediv>
+
+ <refsect1><title>Description</title>
+   <para>
+   Starting with version 0.6, <command>apt</command> contains code
+   that does signature checking of the Release file for all
+   archives. This ensures that packages in the archive can't be
+   modified by people who have no access to the Release file signing
+   key.
+   </para>
+
+   <para>
+   If a package comes from a archive without a signature or with a
+   signature that apt does not have a key for that package is
+   considered untrusted and installing it will result in a big
+   warning. <command>apt-get</command> will currently only warn
+   for unsigned archives, future releases might force all sources
+   to be verified before downloading packages from them.
+   </para>
+
+   <para>
+   The package frontends &apt-get;, &aptitude; and &synaptic; support this new
+   authentication feature.
+   </para>
+</refsect1>
+
+ <refsect1><title>Trusted archives</title> 
+
+   <para> 
+   The chain of trust from an apt archive to the end user is made up of
+   different steps. <command>apt-secure</command> is the last step in
+   this chain, trusting an archive does not mean that the packages
+   that you trust it do not contain malicious code but means that you
+   trust the archive maintainer. Its the archive maintainer
+   responsibility to ensure that the archive integrity is correct.
+   </para>
+
+   <para>apt-secure does not review signatures at a
+   package level. If you require tools to do this you should look at
+   <command>debsig-verify</command> and
+   <command>debsign</command> (provided in the debsig-verify and
+   devscripts packages respectively).</para>
+
+   <para>
+   The chain of trust in Debian starts when a maintainer uploads a new
+   package or a new version of a package to the Debian archive. This
+   upload in order to become effective needs to be signed by a key of
+   a maintainer within the Debian maintainer's keyring (available in
+   the debian-keyring package). Maintainer's keys are signed by
+   other maintainers following pre-established procedures to
+   ensure the identity of the key holder.
+   </para>
+
+   <para>
+   Once the uploaded package is verified and included in the archive,
+   the maintainer signature is stripped off, an MD5 sum of the package
+   is computed and put in the Packages file. The MD5 sum of all of the
+   packages files are then computed and put into the Release file. The
+   Release file is then signed by the archive key (which is created
+   once a year and distributed through the FTP server. This key is
+   also on the Debian keyring.
+   </para>
+
+   <para>
+   Any end user can check the signature of the Release file, extract the MD5
+   sum of a package from it and compare it with the MD5 sum of the
+   package he downloaded. Prior to version 0.6 only the MD5 sum of the
+   downloaded Debian package was checked. Now both the MD5 sum and the
+   signature of the Release file are checked.
+   </para>
+
+   <para>Notice that this is distinct from checking signatures on a
+   per package basis. It is designed to prevent two possible attacks:
+   </para>
+
+    <itemizedlist>
+       <listitem><para><literal>Network "man in the middle"
+       attacks</literal>. Without signature checking, a malicious
+       agent can introduce himself in the package download process and
+       provide malicious software either by controlling a network
+       element (router, switch, etc.) or by redirecting traffic to a
+       rogue server (through arp or DNS spoofing
+       attacks).</para></listitem>
+ 
+       <listitem><para><literal>Mirror network compromise</literal>.
+        Without signature checking, a malicious agent can compromise a
+        mirror host and modify the files in it to propage malicious
+        software to all users downloading packages from that
+        host.</para></listitem>
+    </itemizedlist>
+
+   <para>However, it does not defend against a compromise of the
+   Debian master server itself (which signs the packages) or against a
+   compromise of the key used to sign the Release files. In any case,
+   this mechanism can complement a per-package signature.</para>
+</refsect1>
+
+ <refsect1><title>User configuration</title>
+   <para>
+   <command>apt-key</command> is the program that manages the list
+   of keys used by apt. It can be used to add or remove keys although
+   an installation of this release will automatically provide the
+   default Debian archive signing keys used in the Debian package
+   repositories.
+   </para>
+   <para>
+   In order to add a new key you need to first download it
+   (you should make sure you are using a trusted communication channel
+   when retrieving it), add it with <command>apt-key</command> and
+   then run <command>apt-get update</command> so that apt can download
+   and verify the <filename>Release.gpg</filename> files from the archives you
+   have configured.
+   </para>
+</refsect1>
+
+<refsect1><title>Archive configuration</title>
+   <para>
+   If you want to provide archive signatures in an archive under your
+   maintenance you have to:
+   </para>
+
+     <itemizedlist>
+       <listitem><para><literal>Create a toplevel Release
+       file</literal>.  if it does not exist already. You can do this
+       by running <command>apt-ftparchive release</command> 
+       (provided inftp apt-utils).</para></listitem>
+   
+      <listitem><para><literal>Sign it</literal>. You can do this by running
+      <command>gpg -abs -o Release.gpg Release</command>.</para></listitem>
+
+      <listitem><para><literal>Publish the key fingerprint</literal>,
+      that way your users will know what key they need to import in
+      order to authenticate the files in the
+      archive.</para></listitem>
+
+    </itemizedlist>
+
+    <para>Whenever the contents of the archive changes (new packages
+    are added or removed) the archive maintainer has to follow the
+    first two steps previously outlined.</para>
+
+</refsect1>
+
+<refsect1><title>See Also</title> 
+<para> 
+&apt-conf;, &apt-get;, &sources-list;, &apt-key;, &apt-archive;,
+&debsign; &debsig-verify;, &gpg;
+</para>
+
+<para>For more backgound information you might want to review the
+<ulink
+url="http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html">Debian
+Security Infrastructure</ulink> chapter of the Securing Debian Manual
+(available also in the harden-doc package) and the
+<ulink url="http://www.cryptnet.net/fdp/crypto/strong_distro.html"
+>Strong Distribution HOWTO</ulink> by V. Alex Brennen.  </para>
+
+</refsect1>
+
+ &manbugs;
+ &manauthor;
+
+<refsect1><title>Manpage Authors</title> 
+
+<para>This man-page is based on the work of Javier Fernández-Sanguino
+Peña, Isaac Jones, Colin Walters, Florian Weimer and Michael Vogt.
+</para>
+
+</refsect1>
+ 
+
+</refentry>
+
author	Michael Vogt <michael.vogt@ubuntu.com>	2005-09-06 09:51:40 +0000
committer	Michael Vogt <michael.vogt@ubuntu.com>	2005-09-06 09:51:40 +0000
commit	09af1a917c739e50e4e8590cc8402525b3f1f64d (patch)
tree	aae9b5e6b75920dd1c43afab0da590e4de11976e /doc/apt-secure.8.xml
parent	f8ad6f9b0dbcef95d3bbbe6481d3e10e9ed684d0 (diff)
parent	b8b1131a7d349db52a34a8cd6dd1872aebd50885 (diff)