[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package/Mirror integrity?



On Fri, 04 May 2001, Debian User wrote:
> Henrique M Holschuh wrote:
> > A secure (digital signature-based) system is being deployed right now in the
> > unstable distribution, but it is not fully integrated into our archive
> > structure yet.
> 
> Where to find out more about it? Of course, get the packages and read whath's
> in'em. But what i mean is some sort online avaliable docu, mail/news or so.

I don't think there is any docs besides the manpages and source. 

> i.e. not  in "testing". Any scheduling plans about when it will show up there?
> How wil signature distribution work?

Things get installed in testing when they get installed in testing. There
are complicated heuristics behind testing's automated update; I have no idea
when dpkg will be upgraded.  Try to read about testing in
http://ftp-master.debian.org/testing/   if you're curious.

> > MD5 checksums are available in most (but unfortunately not all) packages.
> Is this going to be a  "policy" issue for packages to come into "official"
> Debian distribution?

No. We'll simply sign all of the packages, and the recommended way to take
care of the unpacked files has always been using tripwire or AIDE, or
another software like that.

> > MD5 checksums are always issued along with every (including security) update
> > to the stable distribution.  This is far from perfect, but it's all we can
> > offer you until we finish deploying the full signature-based system, AFAIK.
> 
> How can i check packages  for correct checksums right now?

See the debsums package, and the dlocate package.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Attachment: pgpzQifYoVxUi.pgp
Description: PGP signature


Reply to: