How to ensure the integrity of Debian mirrors?

To: debian-devel@lists.debian.org
Subject: How to ensure the integrity of Debian mirrors?
From: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>
Date: Wed, 06 Jan 1999 09:26:23 +0100
Message-id: <[🔎] 199901060826.JAA00857@pcrz64.HRZ.Uni-Marburg.DE>

Hi,

yesterday I had to take a look at a machine that was emerging
ping floods and did other nasty things. It turned out that it
was a freshly installed Linux box (not a Debian system but
another well known Linux distribution) and some investigation
revealed that pretty soon after the installation several
people from different sites got root access and reconfigured
the system for their "needs".

So there is some strong evidence that the system was installed
from an compromised ftp mirror which included a Troan horse
ehm... Trojan horse and some mechanism to distribute the ip
address of the installed host.

I'd suggest to provide some mechanism to make compromising a
Debian mirror more difficult. For now one could provide
a PGP and/or GPG signed list of MD5 sums of all .deb
packages. This list could be generated when constructing
the Packages file. In the future one might implement a
more elaborate certification scheme.

Cheers, Thomas 

Thomas Gebhardt <gebhardt@hrz.uni-marburg.de>
University computing center of Marburg, Germany

Reply to:

Follow-Ups:
- Re: How to ensure the integrity of Debian mirrors?
  - From: Stephen Crowley <crow@debian.org>
- Re: How to ensure the integrity of Debian mirrors?
  - From: "James R. Van Zandt" <jrv@vanzandt.mv.com>

Prev by Date: nsmon, please test
Next by Date: 2.0.36 in slink, so isdnutils should go in as well!
Previous by thread: Re: nsmon, please test
Next by thread: Re: How to ensure the integrity of Debian mirrors?
Index(es):
- Date
- Thread