On Wed, Jul 10, 2002 at 02:45:41PM +1000, Anthony Towns wrote: > On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote: > > 3/ Mr X changes proper line in Packages. It is not signed, so the change > > remains unknown. Now Packages point to the malicious version of package. > > [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz > 056de733d23e09c0b57c65aae294266f 1775249 main/binary-i386/Packages.gz > 75dfe094198e0e6d48508cba2a926db151317c9e 1775249 main/binary-i386/Packages.gz > > The former is an md5sum, the latter is an SHA1 checksum. The Release file > has a detached signature in the Release.gpg file in the same location. > > > 4/ I do 'apt-get update'. Apt download changed Packages file. > > You can verify what apt-get update downloaded using: > > http://people.debian.org/~ajt/apt-check-sigs > and > http://ftp-master.debian.org/ziyi_key_2002.asc > > It's not incredibly straightforward or particularly documented. It sounds nice but when I try I get : Source: deb http://http.us.debian.org/debian/ unstable main non-free contrib o Origin: Debian/Debian o Suite: unstable/sid o Date: Tue, 09 Jul 2002 19:31:46 UTC o Description: Debian Unstable - Not Released * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED * NO VALID SIGNATURE * PROBLEMS WITH main (NOCHECK, NOCHECK) * PROBLEMS WITH non-free (NOCHECK, NOCHECK) * PROBLEMS WITH contrib (NOCHECK, NOCHECK) Source: deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free o Origin: Debian/Debian o Suite: unstable/sid o Date: Tue, 09 Jul 2002 18:54:01 UTC o Description: Debian Unstable - Not Released * COULDN'T CHECK SIGNATURE BY KEYID: AA7DEB7B722F1AED * NO VALID SIGNATURE * PROBLEMS WITH main (NOCHECK, NOCHECK) * PROBLEMS WITH contrib (NOCHECK, NOCHECK) * PROBLEMS WITH non-free (NOCHECK, NOCHECK) Have I missed a step ? Christophe > > Cheers, > aj > > -- > Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> > I don't speak for anyone save myself. GPG signed mail preferred. > > ``If you don't do it now, you'll be one year older when you do.'' -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats seem go on the principle that it never does any harm to ask for what you want. --Joseph Wood Krutch
Attachment:
pgpazjHMmNwP2.pgp
Description: PGP signature