Re: A problem with Packages? Or is it not?

To: Debian-Devel <debian-devel@lists.debian.org>
Cc: Jakub Turski <yacoob@chruptak.plukwa.net>
Subject: Re: A problem with Packages? Or is it not?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 9 Jul 2002 14:20:30 +0100
Message-id: <[🔎] 20020709132030.GA24026@riva.ucam.org>
Mail-followup-to: Debian-Devel <debian-devel@lists.debian.org>, Jakub Turski <yacoob@chruptak.plukwa.net>
In-reply-to: <[🔎] 20020708190407.GA1811@magi>
References: <[🔎] 20020708190407.GA1811@magi>

On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> Let us assume the following scenario:
> 
> 1/ Mr X has hacked the main ftp with debs.
> 2/ He puts his malicious version of some deb into the pool. He just adds
> it in the directory, nothing gets deleted.
> 3/ Mr X changes proper line in Packages. It is not signed, so the change
> remains unknown. Now Packages point to the malicious version of package.

That's what Release and Release.gpg prevent. The Securing Debian Manual
at http://www.debian.org/doc/ includes a script to verify these.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: A problem with Packages? Or is it not?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- A problem with Packages? Or is it not?
  - From: Jakub Turski <yacoob@chruptak.plukwa.net>

Prev by Date: Re: Definite menu code rewrite
Next by Date: Re: Bug#152822: cryptcat_0.0.950915-4(hppa/unstable): FTBFS: busted diff?
Previous by thread: Re: A problem with Packages? Or is it not?
Next by thread: Re: A problem with Packages? Or is it not?
Index(es):
- Date
- Thread