On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote: > 3/ Mr X changes proper line in Packages. It is not signed, so the change > remains unknown. Now Packages point to the malicious version of package. [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz 056de733d23e09c0b57c65aae294266f 1775249 main/binary-i386/Packages.gz 75dfe094198e0e6d48508cba2a926db151317c9e 1775249 main/binary-i386/Packages.gz The former is an md5sum, the latter is an SHA1 checksum. The Release file has a detached signature in the Release.gpg file in the same location. > 4/ I do 'apt-get update'. Apt download changed Packages file. You can verify what apt-get update downloaded using: http://people.debian.org/~ajt/apt-check-sigs and http://ftp-master.debian.org/ziyi_key_2002.asc It's not incredibly straightforward or particularly documented. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``If you don't do it now, you'll be one year older when you do.''
Attachment:
pgpCU06Dxl2rk.pgp
Description: PGP signature