Re: (fwd) OpenSSH trojan!
-----BEGIN PGP SIGNED MESSAGE-----
Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> wrote:
> There isn't an easy way to determine whether a Debian package is
> authentic or not. I'm not even sure what "authentic" means in this
You are most likely correct, but I'm just mapping my options here; are
Debian packages md5summed regularily? If so, I have ``debsums'' package
installed. Does this software check the MD5 checksum before the package
is installed with apt - or is this just wishful thinking?
I was just wondering about the policy, in general - too. Are the
"official" Debian packages created with MD5 checksum file, as well? And
does ``debsums'' work in conjunction with apt, so it would check the
package and checksum file before apt installs it? As I said, just
mapping my options here...
Jussi Ekholm -- <firstname.lastname@example.org> -- http://erppimaa.ihku.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----