Apt Transparency
Speaker: Simon Josefsson
Track: MiniDebConf Berlin 2024
Type: Short Talk
Room: c-base
Time: May 19 (Sun): 10:30
Duration: 0:20
How to improve security of apt repositories with transparency techniques. I will describe attack threat models we should protect against that the apt ecosystem currently do not have any defense against. This goes beyond the current PGP/GnuPG-based trust system. I propose we need a mechanism inspired by WebPKI’s Certificate Transparency, and that we consider existing technologies such as HTTPS canary files, Sigstore’s public transparency log, Sigsum’s public transparency log, and Filippo Valsorda’s spicy signatures. I will talk about interactions with reproducible builds to increase safety of package upgrades.