Re: How to ensure the integrity of Debian mirrors?
"Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE> writes:
>I'd suggest to provide some mechanism to make compromising a
>Debian mirror more difficult. For now one could provide
>a PGP and/or GPG signed list of MD5 sums of all .deb
>packages. This list could be generated when constructing
>the Packages file. In the future one might implement a
>more elaborate certification scheme.
We already have indices/md5sums.gz, though at present it is not
signed. One could always fetch the md5sums from a different mirror
than the packages.
FWIW, I use a script like this to check my mirrors:
#!/bin/sh
#
DIR=$1
if [ "$1" = "" ]; then DIR=/debian; fi
date
echo "check for broken symlinks..."
find $DIR -follow 2>&1 | grep 'No such'
echo "check md5sums..."
cd $DIR
zcat indices/md5sums.gz | md5sum -c 2>&1 | grep 'fail.*deb'
I run this and append the output to a log file after every mirror
update.
- Jim Van Zandt
Reply to: