[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package/Mirror integrity?

At 11:11 AM 5/7/01 +0200, you wrote:
Petr Cech wrote:

> also there are now signed Packages files on mirrors, so you can just check
> the Packages and MD5 sums of .deb files it contains.

Is there a way (already existing or seen for the future) to prevent from faked
packages/checksums, when someone "hijacks" an  mirror and uploads some
packages and info files with trojans and self generated checksums? There are
lot's of mirrors around the world in meantime, an you can't realy tell "how
secure" and therby how trustworthy they are.

If the site is an official mirror, then the suspect files should be clobberd on the next rsync. The bigest danger would come it the root server were comprimised. however if this were to happen life would be bad. I would think if you were cincernd about suspect files then doing a rsync for just md5sum files off ot the main ftp server should in theory give you a "known good" base line.

> Note that apt does MD5
> check the file after download

With an internal md5 checker? It's not depending on debsums, which i've just
installed. Or does it use external "md5sum" binary"?


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

John W. Bloodworth
Senior linux support technician

 This answer was provided by the
 Sutherland Support Center.
 We provide solutions for most of your
 Linux needs.
(800) 431-3787

Reply to: