Re: Apt-get package verification

To: debian-security@lists.debian.org
Cc: Christian Hammers <ch@westend.com>
Subject: Re: Apt-get package verification
From: Jim Breton <jamesb-debian@alongtheway.com>
Date: Thu, 8 Feb 2001 19:30:08 +0000
Message-id: <20010208193008.C12994@alongtheway.com>
Mail-followup-to: debian-security@lists.debian.org, Christian Hammers <ch@westend.com>
In-reply-to: <20010208202247.A16407@westend.com>; from ch@westend.com on Thu, Feb 08, 2001 at 08:22:47PM +0100
References: <Pine.BSO.4.33.0102081226020.3292-100000@fluffy.cy.borg> <20010208191124.A12994@alongtheway.com> <20010208202247.A16407@westend.com>

On Thu, Feb 08, 2001 at 08:22:47PM +0100, Christian Hammers wrote:
> > Currently it won't.  :-\  You would have to get the packages yourself
> > and check the md5sums.
> Which were of course altered by the cracker. Bad idea.

No.  I'm talking about the md5sums listed in the security advisories
sent by the Debian project.  These messages are signed with their GPG
keys; if these messages are invalid or have been compromised and the
signatures still verify, then we have some far more serious problems.

Reply to:

Follow-Ups:
- Re: Apt-get package verification
  - From: marcoghidinelli <marcogh@atdot.org>

References:
- Apt-get package verification
  - From: schwack <schwack@fluffy.cy.borg>
- Re: Apt-get package verification
  - From: Jim Breton <jamesb-debian@alongtheway.com>
- Re: Apt-get package verification
  - From: Christian Hammers <ch@westend.com>

Prev by Date: Re: Apt-get package verification
Next by Date: Re: sources.list
Previous by thread: Re: Apt-get package verification
Next by thread: Re: Apt-get package verification
Index(es):
- Date
- Thread