Re: Apt-get package verification
On Thu, Feb 08, 2001 at 08:22:47PM +0100, Christian Hammers wrote:
> > Currently it won't. :-\ You would have to get the packages yourself
> > and check the md5sums.
> Which were of course altered by the cracker. Bad idea.
No. I'm talking about the md5sums listed in the security advisories
sent by the Debian project. These messages are signed with their GPG
keys; if these messages are invalid or have been compromised and the
signatures still verify, then we have some far more serious problems.