How to ensure the integrity of Debian mirrors?
yesterday I had to take a look at a machine that was emerging
ping floods and did other nasty things. It turned out that it
was a freshly installed Linux box (not a Debian system but
another well known Linux distribution) and some investigation
revealed that pretty soon after the installation several
people from different sites got root access and reconfigured
the system for their "needs".
So there is some strong evidence that the system was installed
from an compromised ftp mirror which included a Troan horse
ehm... Trojan horse and some mechanism to distribute the ip
address of the installed host.
I'd suggest to provide some mechanism to make compromising a
Debian mirror more difficult. For now one could provide
a PGP and/or GPG signed list of MD5 sums of all .deb
packages. This list could be generated when constructing
the Packages file. In the future one might implement a
more elaborate certification scheme.
Thomas Gebhardt <firstname.lastname@example.org>
University computing center of Marburg, Germany