[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to ensure the integrity of Debian mirrors?

"Thomas Gebhardt" <gebhardt@HRZ.Uni-Marburg.DE> writes:
>I'd suggest to provide some mechanism to make compromising a
>Debian mirror more difficult. For now one could provide
>a PGP and/or GPG signed list of MD5 sums of all .deb
>packages. This list could be generated when constructing
>the Packages file. In the future one might implement a
>more elaborate certification scheme.

We already have indices/md5sums.gz, though at present it is not
signed.  One could always fetch the md5sums from a different mirror
than the packages.

FWIW, I use a script like this to check my mirrors:

   if [ "$1" = "" ]; then DIR=/debian; fi
   echo "check for broken symlinks..."
   find $DIR -follow 2>&1 | grep 'No such'
   echo "check md5sums..."
   cd $DIR
   zcat indices/md5sums.gz | md5sum -c 2>&1 | grep 'fail.*deb'
I run this and append the output to a log file after every mirror

	       - Jim Van Zandt

Reply to: