Package/Mirror integrity?
Hi,
i have a question about how to verify integrity of Debian packages. I
want to verify that all packages that are to be installed are from
"official Debian mirror uploads".
Reason for this is to run Linux (preferably Debian ;-) in somewhat more
secure environments. I had a curious situation about this yesterday,
when i installed a new potato system from deb ftp mirrors. Installing
the system was no problem, but when i installed xdm i lost my passwd and
shadow file, and rebooting showed a lot of filesys errors. After the
third try with same result i switched to woody, which runs fine now.
First i just wondered about potato (== stable!!) or my capabilties to
install it and didn't think much more about it. But in the meantime i
heard of an similar problem with some customers of us, and some people
were getting concerned about security. Especially they heard of rumors
about root-kits that "kill" passwd's and the like. This can kick Debian
online install/update out of companies.
I remember Debian folks wher talking about some kind of checksums to
integrate in package manager system (dpkg e.a.) some time ago. Is there
any work in progress, where can i find out more about this? I took a
look on Debian's documentation and security section but did not find
anything about this.
Gerhard
Reply to: