Re: A problem with Packages? Or is it not?
On Mon, Jul 08, 2002 at 09:04:07PM +0200, Jakub Turski wrote:
> Let us assume the following scenario:
> 1/ Mr X has hacked the main ftp with debs.
> 2/ He puts his malicious version of some deb into the pool. He just adds
> it in the directory, nothing gets deleted.
> 3/ Mr X changes proper line in Packages. It is not signed, so the change
> remains unknown. Now Packages point to the malicious version of package.
That's what Release and Release.gpg prevent. The Securing Debian Manual
at http://www.debian.org/doc/ includes a script to verify these.
Colin Watson [email@example.com]
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com