Re: (fwd) OpenSSH trojan!
Paul Hampson wrote on Thursday, August 01, 2002 3:16 PM:
> On Thu, Aug 01, 2002 at 02:31:07PM +0200, Sebastien Chaumat wrote:
>> Is there any source signing mechanism available in Debian?
> There is, in that the MD5 sum of the .orig.tar.gz goes into
> the .dsc file.
> Not that it would affect this case, since the trojan would have
> been in the tar.gz which had it's MD5 recorded. Although it
> would only affect people who built the package anyway.
Maybe the interresting thing would be that the /var/lib/dpkg/info/*.md5sums
(or another file) contain the md5sum of the source archive (.orig.tar.gz)
that was used to build the package. Then people having only downloaded the
.deb would be able to ensure that it has been compiled using original
sources. Furthermore, I think is an additionnal security measure to be able
to verify the integrity of the package sources without actually downloading