Re: How to ensure the integrity of Debian mirrors?

To: gebhardt@HRZ.Uni-Marburg.DE
Cc: debian-devel@lists.debian.org
Subject: Re: How to ensure the integrity of Debian mirrors?
From: "James R. Van Zandt" <jrv@vanzandt.mv.com>
Date: Sat, 9 Jan 1999 12:44:29 -0500 (EST)
Message-id: <[🔎] m0zz2R3-0006NEC@vanzandt.mv.com>
In-reply-to: <[🔎] 199901060826.JAA00857@pcrz64.HRZ.Uni-Marburg.DE> (gebhardt@HRZ.Uni-Marburg.DE)
References: <[🔎] 199901060826.JAA00857@pcrz64.HRZ.Uni-Marburg.DE>

"Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE> writes:
>I'd suggest to provide some mechanism to make compromising a
>Debian mirror more difficult. For now one could provide
>a PGP and/or GPG signed list of MD5 sums of all .deb
>packages. This list could be generated when constructing
>the Packages file. In the future one might implement a
>more elaborate certification scheme.

We already have indices/md5sums.gz, though at present it is not
signed.  One could always fetch the md5sums from a different mirror
than the packages.

FWIW, I use a script like this to check my mirrors:

   #!/bin/sh
   #
   DIR=$1
   if [ "$1" = "" ]; then DIR=/debian; fi
   
   date
   
   echo "check for broken symlinks..."
   find $DIR -follow 2>&1 | grep 'No such'
   
   echo "check md5sums..."
   cd $DIR
   zcat indices/md5sums.gz | md5sum -c 2>&1 | grep 'fail.*deb'
   
I run this and append the output to a log file after every mirror
update.

	       - Jim Van Zandt

Reply to:

References:
- How to ensure the integrity of Debian mirrors?
  - From: "Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE>

Prev by Date: Re: Hardware-specific drivers/kernels archive (WAS: Re: FWD: RMS and Debian on his Toshiba)
Next by Date: Re: 822-date obsolete?
Previous by thread: Re: How to ensure the integrity of Debian mirrors?
Next by thread: 2.0.36 in slink, so isdnutils should go in as well!
Index(es):
- Date
- Thread