Re: https for apt to prevent man in middle transparent proxy mirror attacks?
On Wed, Jun 09, 2004 at 07:15:21AM -0700, Karl Hegbloom wrote:
> On Wed, 2004-06-09 at 16:08 +0200, Federico Di Gregorio wrote:
> > maybe i simply don't understand, but isn't Packages file signing done
> > exactly to avoid such an attack?
>
> Can you please explain how that works?
Well I just took a five second glance at a mirror site and worked it out
as follows:
/debian/pool/main/ contains packages;
/debian/dists/sarge/main/binary-<arch>/Packages contains the list of
packages include md5sums;
/debian/dists/sarge/Release contains the md5sums of all of the
binary-<arch>/Packages files;
/debian/dists/sarge/Release.gpg contains a detached signature for
/debian/dists/sarge/Release.
Hence you verify the GPG signature for the top-level release file and
follow the md5sums from there. Simple.
Hamish
--
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
Reply to: