Re: Debian package security
Hi,
The Packages file for the corresponding section hold the
MD5sum of the .deb files. For example, look at:
(http://ftp1.us.debian.org/debian/dists/woody/binary-i386/Packages.gz)
Now, how do you know that the Packages file was not tampered
with? The top level Release file has MD5Sums of the Packages files
(http://ftp1.us.debian.org/debian/dists/woody/Release).
Now, how do you know that the Release file has not been
tampered with? Well, there is a detached signature of that file
(http://ftp1.us.debian.org/debian/dists/woody/Release.gpg)
signed by ziyi, who is an automated script that creates Release files
on the master archive.
How do you know that the signature is valid -- Hmm, pretty
soon you shall be able to get the key from keyring.debian.org; but
right now you need to know James Troup, and have access to
master.debian.org (sorry).
manoj
--
A bunch of Polish scientists decided to flee their repressive
government by hijacking an airliner and forcing the pilot to fly them
to the West. They drove to the airport, forced their way on board a
large passenger jet, and found there was no pilot on board.
Terrified, they listened as the sirens got louder. Finally, one of
the scientists suggested that since he was an experimentalist, he
would try to fly the aircraft. He sat down at the controls and tried
to figure them out. The sirens got louder and louder. Armed men
surrounded the jet. The would be pilot's friends cried out, "Please,
please take off now!!! Hurry!!!" The experimentalist calmly replied,
"Have patience. I'm just a simple pole in a complex plane."
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: