Russ Allbery wrote: > The missing link, in this validation scenario, is how to get a signed copy > of the MD5 checksums of the files in the package. That's one missing link. The other one is that there are innumerable ways for an attacker to inject bad behavior/backdoors onto a system without touching binaries originating from dpkg. Expecting debsums to protect against any form of attack is bound to result in a false sense of security; and AFAIK aide makes a credible attempt at solving the same problem. -- see shy jo, who does not need to be CCed anymore on this thread  Though my SWAG is that it's still not complete when you consider the boodloader, permissions of files in /dev, or subtly corrupted partitions.
Description: Digital signature