> What about Martin Pool's idea of accessing ppa through https? Would it give protection from this type of attack?
I did specifically say above that it's not a substitute for archive signing. It won't silence apt and it won't protect against all attacks.
My reasons for suggesting it are: it seems like most of the infrastructure is already in place and therefore it may be faster/easier than per-archive signing keys, and it gives some practical protection against network attacks.
@holly
> What about Martin Pool's idea of accessing ppa through https? Would it give protection from this type of attack?
I did specifically say above that it's not a substitute for archive signing. It won't silence apt and it won't protect against all attacks.
My reasons for suggesting it are: it seems like most of the infrastructure is already in place and therefore it may be faster/easier than per-archive signing keys, and it gives some practical protection against network attacks.