On Sat, Dec 06, 2003 at 10:13:20AM -0500, [EMAIL PROTECTED] wrote: > I've occasionally wondered about upgrading from servers, which may > have been conmpromised... What if the package-upgrader had an option > to wait a week after downloading to actually perform the upgrade? Then > there would be an opportunity to cancel the upgrade in case news of > compromise got out. Of course, it would not help against undetected > compromises...
You could do that yourself with some scripts. (1) Switch to a sources.list that includes the "real servers." (2) apt-get update; apt-get upgrade --download-only (3) Move the .debs from /var/cache/apt/archives to a quarantine dir (4) ls quarantine > $THE_DATE.list Then in a cron job or something rotate in the files into your local apt-archive; run dpkg-scanpackages to update your archive, switch to a sources.list that just has the local mirror, apt-get update; and apt-get upgrade. I should probably write something like this for myself. Is it possible to have two different sets of sources.list and tell the tools which to use, so I wouldn't have to switch? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
