Re: apt download security?

To: debian-user@lists.debian.org
Subject: Re: apt download security?
From: brichardson@lineone.net (Bruce Richardson)
Date: Tue, 7 Nov 2000 22:42:37 +0000
Message-id: <[🔎] 20001107224237.A15036@knossos>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3A076765.6CA17E8E@stic.net>; from jtc@stic.net on Tue, Nov 07, 2000 at 02:22:29AM +0000
References: <[🔎] 3A076765.6CA17E8E@stic.net>

On Tue, Nov 07, 2000 at 02:22:29AM +0000, John Carline wrote:
> However, I'm not above accepting all the help I can find. Can
> someone verify the statement below?  Or better yet, is the
> statement wrong?   Is there a way to verify the integrity of the
> downloaded debs?

dpkg -p debian-keyring
man dscverify

Also Packages.gz can and should be signed.  

Unfortunately, while source packages can be checked quite easily, they
are not always verifiable.  There is no simple mechanism for verifying
debs *at all*.  Nor even Packages.gz - and the integrity of Packages.gz
isn't actually a guarantee of the integrity of any of the packages.

So there is a hole here.

-- 
Bruce

Remember you're a Womble.

Reply to:

Follow-Ups:
- Re: apt download security?
  - From: Jason Gunthorpe <jgg@ualberta.ca>
- Re: apt download security?
  - From: csj@mindgate.net

References:
- apt download security?
  - From: John Carline <jtc@stic.net>

Prev by Date: Re: xsession, bash_profile and xdm
Next by Date: Re: Compiled debs are upgraded
Previous by thread: apt download security?
Next by thread: Re: apt download security?
Index(es):
- Date
- Thread