[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package/Mirror integrity?



On Fri, 04 May 2001, a certain Debian user wrote:
> I remember Debian folks wher talking about some kind of checksums to
> integrate in package manager system (dpkg e.a.) some time ago.  Is there
> any work in progress, where can i find out more about this? I took a
> look on Debian's documentation and security section but did not find
> anything about this.

A secure (digital signature-based) system is being deployed right now in the
unstable distribution, but it is not fully integrated into our archive
structure yet.  Unstable's dpkg (version 1.9.4) is fully capable of
requering and checking digital signatures with the aid of the debsign
package (which is already in unstable as well), but we have not started to
distribute signatures along with packages yet.

MD5 checksums are available in most (but unfortunately not all) packages.
MD5 checksums are always issued along with every (including security) update
to the stable distribution.  This is far from perfect, but it's all we can
offer you until we finish deploying the full signature-based system, AFAIK.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Attachment: pgpXSn5nd5AAf.pgp
Description: PGP signature


Reply to: