[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package/Mirror integrity?



Henrique M Holschuh wrote:

> On Fri, 04 May 2001, a certain Debian user wrote:
> > I remember Debian folks wher talking about some kind of checksums to
> > integrate in package manager system (dpkg e.a.) some time ago.  Is there
> > any work in progress, where can i find out more about this? I took a
> > look on Debian's documentation and security section but did not find
> > anything about this.
>
> A secure (digital signature-based) system is being deployed right now in the
> unstable distribution, but it is not fully integrated into our archive
> structure yet.

Where to find out more about it? Of course, get the packages and read whath's
in'em. But what i mean is some sort online avaliable docu, mail/news or so.

> Unstable's dpkg (version 1.9.4) is fully capable of

> requering and checking digital signatures with the aid of the debsign

> package (which is already in unstable as well), but we have not started to
> distribute signatures along with packages yet.

i.e. not  in "testing". Any scheduling plans about when it will show up there?
How wil signature distribution work?

> MD5 checksums are available in most (but unfortunately not all) packages.

Is this going to be a  "policy" issue for packages to come into "official"
Debian distribution?

> MD5 checksums are always issued along with every (including security) update
> to the stable distribution.  This is far from perfect, but it's all we can
> offer you until we finish deploying the full signature-based system, AFAIK.

How can i check packages  for correct checksums right now?


Gerhard



Reply to: