Re: A problem with Packages? Or is it not?

To: Debian-Devel <debian-devel@lists.debian.org>
Subject: Re: A problem with Packages? Or is it not?
From: christophe barbé <christophe.barbe.ml@online.fr>
Date: Wed, 10 Jul 2002 11:57:58 -0400
Message-id: <[🔎] 20020710155758.GY24021@localhost>
Mail-followup-to: Debian-Devel <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20020710044540.GA20532@azure.humbug.org.au>
References: <[🔎] 20020708190407.GA1811@magi> <[🔎] 20020710044540.GA20532@azure.humbug.org.au>

On Wed, Jul 10, 2002 at 02:45:41PM +1000, Anthony Towns wrote:
> On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> > 3/ Mr X changes proper line in Packages. It is not signed, so the change
> > remains unknown. Now Packages point to the malicious version of package.
> 
> [aj@cyan ~]$ lynx -source http://ftp.debian.org/debian/dists/woody/Release | grep main/binary-i386/Packages.gz
>  056de733d23e09c0b57c65aae294266f          1775249 main/binary-i386/Packages.gz
>  75dfe094198e0e6d48508cba2a926db151317c9e          1775249 main/binary-i386/Packages.gz
> 
> The former is an md5sum, the latter is an SHA1 checksum. The Release file
> has a detached signature in the Release.gpg file in the same location.
> 
> > 4/ I do 'apt-get update'. Apt download changed Packages file. 
> 
> You can verify what apt-get update downloaded using:
> 
> 	http://people.debian.org/~ajt/apt-check-sigs
> and
> 	http://ftp-master.debian.org/ziyi_key_2002.asc
> 
> It's not incredibly straightforward or particularly documented.
> 
> Cheers,
> aj


I finally got your script working with the attached patch.
My version of md5sum (sid) add a '-' after the sum when the input is the
standart input. 

That's a good thing to have this kind of check. Would it be possible to
integrate this kind of check around 'apt-get update' ?

Thanks,
Christophe

-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Cats are intented to teach us that not everything in nature has a
function. --Garrison Keillor

--- apt-check-sigs	Sun Jan 27 10:32:46 2002
+++ apt-check-sigs	Wed Jul 10 11:53:18 2002
@@ -37,7 +37,7 @@
 	local LOOKUP="$2"
 
 	Y="`get_md5sumsize Release "$LOOKUP"`"
-	Y="`echo "$Y" | sed 's/^ *//;s/  */ /g'`"
+	Y="`echo "$Y" | sed 's/-//;s/^ *//;s/  */ /g'`"
 
 	if [ ! -e "/var/lib/apt/lists/$FILE" ]; then
 		if [ "$Y" = "" ]; then
@@ -55,7 +55,7 @@
 		return
 	fi
 	X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`"
-	X="`echo "$X" | sed 's/^ *//;s/  */ /g'`"
+	X="`echo "$X" | sed 's/-//;s/^ *//;s/  */ /g'`"
 	if [ "$X" != "$Y" ]; then
 		echo "$FILE" >>BAD
 		echo "BAD"

Attachment: pgpHVDyHPGj6Y.pgp
Description: PGP signature

Reply to:

References:
- A problem with Packages? Or is it not?
  - From: Jakub Turski <yacoob@chruptak.plukwa.net>
- Re: A problem with Packages? Or is it not?
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: A problem with Packages? Or is it not?
Next by Date: Bug#152528: ITP: ekg -- open source gadu gadu client for UNIX systems
Previous by thread: Re: A problem with Packages? Or is it not?
Next by thread: Re: A problem with Packages? Or is it not?
Index(es):
- Date
- Thread