[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A problem with Packages? Or is it not?

On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> Let us assume the following scenario:
> 1/ Mr X has hacked the main ftp with debs.
> 2/ He puts his malicious version of some deb into the pool. He just adds
> it in the directory, nothing gets deleted.
> 3/ Mr X changes proper line in Packages. It is not signed, so the change
> remains unknown. Now Packages point to the malicious version of package.

That's what Release and Release.gpg prevent. The Securing Debian Manual
at http://www.debian.org/doc/ includes a script to verify these.

Colin Watson                                  [cjwatson@flatline.org.uk]

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: