Re: Package/Mirror integrity?
On Mon, May 07, 2001 at 11:11:13AM +0200 , Gerhard Kroder wrote:
> Petr Cech wrote:
>
> > also there are now signed Packages files on mirrors, so you can just check
> > the Packages and MD5 sums of .deb files it contains.
>
> Is there a way (already existing or seen for the future) to prevent from faked
> packages/checksums, when someone "hijacks" an mirror and uploads some
> packages and info files with trojans and self generated checksums? There are
yes. there is now Release.gpg, which is a sign or Release, which includes
md5 and size of Packages, which in turn include md5 of .deb files. You only
need to look at FTP archive, as I've just done to see, what's implemented.
There is also a way to sign individual packages. dpkg, debsigs,
debsig-verify
> > Note that apt does MD5
> > check the file after download
>
> With an internal md5 checker? It's not depending on debsums, which i've just
> installed. Or does it use external "md5sum" binary"?
don't know, but judging from the source, it's internal
Petr Cech
--
Debian GNU/Linux maintainer - www.debian.{org,cz}
cech@atrey.karlin.mff.cuni.cz
Try: cat /dev/urandom | perl
Reply to: