OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
To my understanding the packages provided for Debian based operating systems are unsigned.
The installer provided here works around this by adding the [trusted=yes] parameter to the repository configuration.
From the docs of sources.list:
Trusted (trusted) is a tri-state value which defaults to APT deciding if a source is considered trusted or if warnings should be raised before e.g. packages are installed from this source. This option can be used to override that decision. The value yes tells APT always to consider this source as trusted, even if it doesn't pass authentication checks. It disables parts of apt-secure(8), and should therefore only be used in a local and trusted context (if at all) as otherwise security is breached. The value no does the opposite, causing the source to be handled as untrusted even if the authentication checks passed successfully. The default value can't be set explicitly.
I would expect a security centered project to sign the release packages instead of disabling these validation features.
I'm curious why this solution is chosen instead. Do you think the repositories should be signed? Are there any future plans for that?
To my understanding the packages provided for Debian based operating systems are unsigned. The installer provided here works around this by adding the
[trusted=yes]
parameter to the repository configuration.From the docs of
sources.list
:I would expect a security centered project to sign the release packages instead of disabling these validation features. I'm curious why this solution is chosen instead. Do you think the repositories should be signed? Are there any future plans for that?