Migration to APT 0.6
This web page collects background information on the Debian's migration to APT version 0.6.
Why APT 0.6?
APT version 0.6 adds support for cryptographically verifying the origin of packages. This means that Debian users can ensure that the packages they install are official packages released by the Debian project and have not been tampered with while they were transmitted across the network or stored on mirrors. This verification is designed to counter the following two threats:
Mirror network compromise: An archive mirror might be attacked successfully, and begin to serve compromised packages to users and other mirrors.
Network-layer attacks: Traffic could be redirected and DNS responses could be forged. Thus, an attacker might lure a user (or another mirror) into downloading compromised packages.
The kind of signatures introduced by APT 0.6 do not protect against a compromise of internal Debian infrastructure used to prepare the archive, though. This is similar to what other vendors do: They sign their software with an organization-specific key, but do not document who built the software, or try to cryptographically secure its construction in a publicly verifiable manner.
The Securing Debian Manual 
contains background information how the security mechanisms in APT 0.6 work. Further information is available in an older document, APT Signature Checking.
The two threats mentioned above are deemed important enough to consider the inclusion of APT version 0.6 in the upcoming Debian release, codenamed sarge. However, at this stage of the release process, careful consideration is necessary not to introduce any regressions that would delay the release. Furthermore, some key design decisions behind the archive verification framework are being contested.
Below, we identify potential showstoppers preventing the migration, open questions and provide a list of active and pending tasks. Feel free to mail any corrections and suggestions to fw@deneb.enyo.de; I will update this page as needed.
Showstoppers
Some issues must be addressed under all circumstances before Debian can switch to APT 0.6. The list below is expected to be complete. A few items on this list may involve significant work. Progress will be tracked on a page referenced from here once work on a particular item has begun. For the list of smaller tasks being actively worked upon, see the next section. (The separation between showstoppers and more manageable units of tasks is intended to increase parallelism.)
Potential showstoppers not related to cryptography. The main issue here is the need for an ABI transition.
Archive signing touches several parts of Debian's infrastructure. Some persons have to do additional work in the future. We must ask them beforehand if they are willing to do that work, and ensure their cooperation.
A review of the general design decisions, in particular key management and key rollover is needed. Any changes resulting from this discussion, both in client-side software (APT and its frontends) and on the side of the archive, must be documented and implemented.
We must review the implementation in
apt-get, and test it. This needs a collection of test archives (see tasks below).Support from other APT frontends. This needs testing, and probably writing some code. For these tests, the test archive is needed, but it is possible to begin testing the general interaction between APT and the frontends while the key management details have not yet been finalized. (The failure scenarios are rather similar, independently of which approach is chosen in the end.)
If you think this list is incomplete, please fw@deneb.enyo.de because we risk that we run into the problem you foresee (which might invalidate previous work or even put the release of sarge at risk).
The test suite
A test suite which exercises various parts of the package verification framework is under development. It consists of a collection of apt-get-able archives:
Please refer to the included README file for further instructions.
If you want to add further test cases, please use the archive generation framework available at:
The test framework is stored in a darcs repository. You can use darcs get to download it:
$ darcs get http://darcs.enyo.de/fw/apt-secure-test/ This is the apt-secure-test repository. Please refer to <http://www.enyo.de/fw/software/apt-secure/> and the included README file for instructions. -- Florian Weimer <fw@deneb.enyo.de> ********************** Copying patch 53 of 53... done! Applying patches to the "working" directory... ............................................................. Finished getting.
Tasks
The list below is presented in order the tasks should be tackled, not according to their importance. If you want work on any of the items, please send me a short message at fw@deneb.enyo.de. I will update this list accordingly. Note that this list is not complete and is expected to grow once we tackle the showstoppers one after the other.
Document any non-cryptography showstoppers. (deity mailing list
, Florian)Ask the ftpmasters if there are any constraints on archive signing from their point of view (especially with respect to signature key management). (Florian)
Test APT front ends against the test suite.
Decide which APT frontends are relevant to the migration. Check that the relevant frontends compile against the APT 0.6 libraries (even though they will not detect tampering with the archive).
Prepare the upcoming key management discussion, so that the topic can be dealt with in a reasonably coordinated manner.
Review Peter Palfrader's patch
which changes the implementation of APT's key store.
Progress Reports
Other Resources
APT frontends and the migration
APT frontends have to be modified to properly support archive signature verification. While most (if not all) frontends continue to work well when recompiled against the APT 0.6 libraries, changes are necessary so that the frontends properly informs the user about potential archive tampering.
This web page collects background information on the Debian's migration to APT version 0.6.
Showstoppers in the APT package
This web page collects issues in the
aptpackage which prevent the migration to APT 0.6, but are not directly related to implementation details of archive signature verification.
Revisions
2005-02-20: published
2005-05-04: Test suite is available. New status report.