[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A problem with Packages? Or is it not?



On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> 3/ Mr X changes proper line in Packages. It is not signed, so the change
> remains unknown. Now Packages point to the malicious version of package.

[aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz
 056de733d23e09c0b57c65aae294266f          1775249 main/binary-i386/Packages.gz
 75dfe094198e0e6d48508cba2a926db151317c9e          1775249 main/binary-i386/Packages.gz

The former is an md5sum, the latter is an SHA1 checksum. The Release file
has a detached signature in the Release.gpg file in the same location.

> 4/ I do 'apt-get update'. Apt download changed Packages file. 

You can verify what apt-get update downloaded using:

	http://people.debian.org/~ajt/apt-check-sigs
and
	http://ftp-master.debian.org/ziyi_key_2002.asc

It's not incredibly straightforward or particularly documented.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Attachment: pgpCU06Dxl2rk.pgp
Description: PGP signature


Reply to: