Petr Cech wrote:
> also there are now signed Packages files on mirrors, so you can just check
> the Packages and MD5 sums of .deb files it contains.
Is there a way (already existing or seen for the future) to prevent from faked
packages/checksums, when someone "hijacks" an mirror and uploads some
packages and info files with trojans and self generated checksums? There are
lot's of mirrors around the world in meantime, an you can't realy tell "how
secure" and therby how trustworthy they are.
>>>>SNIP<<<<
If the site is an official mirror, then the suspect files should be
clobberd on the next rsync. The bigest danger would come it the root
server were comprimised. however if this were to happen life would be
bad. I would think if you were cincernd about suspect files then doing a
rsync for just md5sum files off ot the main ftp server should in theory
give you a "known good" base line.
> Note that apt does MD5
> check the file after download
With an internal md5 checker? It's not depending on debsums, which i've just
installed. Or does it use external "md5sum" binary"?
Gerhard
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org