[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Package/Mirror integrity?


i have a question about how to verify integrity of Debian packages. I
want to verify that all packages that are to be  installed are from
"official Debian  mirror uploads".

Reason for this is to run Linux (preferably Debian ;-)  in somewhat more
secure environments. I had a curious situation about this yesterday,
when i installed a new potato system from deb ftp mirrors. Installing
the system was no problem, but when i installed xdm i lost my passwd and
shadow file, and rebooting showed a lot of filesys errors. After the
third try with same result i switched to woody, which runs fine now.
First i just wondered about potato (== stable!!) or my capabilties to
install it and didn't think much more about it. But in the meantime i
heard of an similar problem with some customers of us, and  some people
were getting concerned about security. Especially they heard of rumors
about root-kits that "kill" passwd's and the like. This can kick Debian
online install/update out of companies.

I remember Debian folks wher talking about some kind of checksums to
integrate in package manager system (dpkg e.a.) some time ago.  Is there
any work in progress, where can i find out more about this? I took a
look on Debian's documentation and security section but did not find
anything about this.


Reply to: