Re: Package/Mirror integrity?
Petr Cech wrote:
> also there are now signed Packages files on mirrors, so you can just check
> the Packages and MD5 sums of .deb files it contains.
Is there a way (already existing or seen for the future) to prevent from faked
packages/checksums, when someone "hijacks" an mirror and uploads some
packages and info files with trojans and self generated checksums? There are
lot's of mirrors around the world in meantime, an you can't realy tell "how
secure" and therby how trustworthy they are.
Just let me give an ficitve example for this thought, even it get's somewhat
paranoidac: somwhere in any company there is an sysadmin installing some
Debian systems, because ease of hadling installation and updates. This
happens everywhere, so it's not too fictive jet. But imagine some bad guys or
secret service or who ever want's to collect information or establish
backdoors. They yust neet to setup and register an Debian mirror, run it for a
while fast and whith high avaliability, and soon lot's of admins will use it
as their update mirror. Now bad guys can manipulate just one base package to
get backdoor access and install root kits, and have quick access to any
rescources. Same if someone just gets access to an mirror by any exploit,
without running it himself.
As far as I see this not covered by now. Though this is IMHO somewhat fictive,
i'm shure this problem will rise in future more, because it would be an
attractive target for interestet parties. We should look ahead to prevent
these things somhow.
> Note that apt does MD5
> check the file after download
With an internal md5 checker? It's not depending on debsums, which i've just
installed. Or does it use external "md5sum" binary"?