Aptly publishes package repositories; compromise can affect every consuming host.
¶ Repository Trust and Signing
- Sign all published repositories with protected GPG keys.
- Keep private signing keys offline or in secured key management.
- Rotate signing keys with documented trust migration.
¶ Publish and Access Controls
- Restrict who can publish/update snapshots.
- Use HTTPS for repository distribution and API access.
- Audit snapshot promotions and mirror updates.