Re: Apt-get package verification

To: debian-security@lists.debian.org
Subject: Re: Apt-get package verification
From: Jim Breton <jamesb-debian@alongtheway.com>
Date: Thu, 8 Feb 2001 19:11:24 +0000
Message-id: <20010208191124.A12994@alongtheway.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <Pine.BSO.4.33.0102081226020.3292-100000@fluffy.cy.borg>; from schwack@fluffy.cy.borg on Thu, Feb 08, 2001 at 12:29:42PM -0600
References: <Pine.BSO.4.33.0102081226020.3292-100000@fluffy.cy.borg>

On Thu, Feb 08, 2001 at 12:29:42PM -0600, schwack wrote:
> Anybody know if apt will do any sort of verification of checksums or
> anything to validate the package is from debian?

Currently it won't.  :-\  You would have to get the packages yourself
and check the md5sums.

> and i'm curious that is somebody poisons some routes and/or dns caches, we could
> have serious trouble.

Yup.  :-\  However, using a good dns cache implementation (such as
djbdns) will reduce/eliminate the risk of anyone altering your dns
cache.  Then you're really only susceptible to modified routes, and
poisoned upstream name servers (root, .org, etc.).

Reply to:

Follow-Ups:
- Re: Apt-get package verification
  - From: Christian Hammers <ch@westend.com>

References:
- Apt-get package verification
  - From: schwack <schwack@fluffy.cy.borg>

Prev by Date: Apt-get package verification
Next by Date: Re: Apt-get package verification
Previous by thread: Apt-get package verification
Next by thread: Re: Apt-get package verification
Index(es):
- Date
- Thread