Migration to APT 0.6

This web page collects background information on the Debian's migration to APT version 0.6.

Why APT 0.6?

APT version 0.6 adds support for cryptographically verifying the origin of packages. This means that Debian users can ensure that the packages they install are official packages released by the Debian project and have not been tampered with while they were transmitted across the network or stored on mirrors. This verification is designed to counter the following two threats:

The kind of signatures introduced by APT 0.6 do not protect against a compromise of internal Debian infrastructure used to prepare the archive, though. This is similar to what other vendors do: They sign their software with an organization-specific key, but do not document who built the software, or try to cryptographically secure its construction in a publicly verifiable manner.

The Securing Debian Manual  <http://www.debian.org/doc/manuals/securing-debian-howto/> contains background information <http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign> how the security mechanisms in APT 0.6 work. Further information is available in an older document, APT Signature Checking <http://www.syntaxpolice.org/apt-secure/>.

The two threats mentioned above are deemed important enough to consider the inclusion of APT version 0.6 in the upcoming Debian release, codenamed sarge. However, at this stage of the release process, careful consideration is necessary not to introduce any regressions that would delay the release. Furthermore, some key design decisions behind the archive verification framework are being contested.

Below, we identify potential showstoppers preventing the migration, open questions and provide a list of active and pending tasks. Feel free to mail any corrections and suggestions to fw@deneb.enyo.de; I will update this page as needed.


Some issues must be addressed under all circumstances before Debian can switch to APT 0.6. The list below is expected to be complete. A few items on this list may involve significant work. Progress will be tracked on a page referenced from here once work on a particular item has begun. For the list of smaller tasks being actively worked upon, see the next section. (The separation between showstoppers and more manageable units of tasks is intended to increase parallelism.)

If you think this list is incomplete, please fw@deneb.enyo.de because we risk that we run into the problem you foresee (which might invalidate previous work or even put the release of sarge at risk).

The test suite

A test suite which exercises various parts of the package verification framework is under development. It consists of a collection of apt-get-able archives:

Please refer to the included README file for further instructions.

If you want to add further test cases, please use the archive generation framework available at:

The test framework is stored in a darcs <http://www.darcs.net> repository. You can use darcs get to download it:

$ darcs get http://darcs.enyo.de/fw/apt-secure-test/
This is the apt-secure-test repository.                                                                                                                                                                

Please refer to <http://www.enyo.de/fw/software/apt-secure/> and the
included README file for instructions.

  -- Florian Weimer <fw@deneb.enyo.de>

Copying patch 53 of 53... done!
Applying patches to the "working" directory...
Finished getting.   


The list below is presented in order the tasks should be tackled, not according to their importance. If you want work on any of the items, please send me a short message at fw@deneb.enyo.de. I will update this list accordingly. Note that this list is not complete and is expected to grow once we tackle the showstoppers one after the other.

Progress Reports

Other Resources


Florian Weimer
Home Blog (DE) Blog (EN) RSS Feeds Impressum