[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (fwd) OpenSSH trojan!

On Sat, 3 Aug 2002 11:47:19 +0300
"Jussi Ekholm" <ekhowl@goa-head.org> wrote:

> You are most likely correct, but I'm just mapping my options here; are
> Debian packages md5summed regularily? If so, I have ``debsums'' package
> installed. Does this software check the MD5 checksum before the package
> is installed with apt - or is this just wishful thinking?
> I was just wondering about the policy, in general - too. Are the
> "official" Debian packages created with MD5 checksum file, as well? And
> does ``debsums'' work in conjunction with apt, so it would check the
> package and checksum file before apt installs it? As I said, just
> mapping my options here...

We had this kind of discussion some weeks ago on this list. Here is my "resumé" that I wrote:


Thanks! So to bring my questions to an end: In dpkg 1.9.21 the signature 
checking feature for the .debs is compiled into the code AND active as 
soon as debsig-verify is installed. I read the mentioned thread too, but 
it was not clear to me if this was only a feature, that's not activated 
yet or anything. Furthermore, there are lots of different opinions 
around concerning this security feature. Some say it is included, others 
say not.

In this case we can say: When doing network installs via dselect or any 
other apt-get frontend, the signatures of the .debs are checked during 
installation time, IF debsig-verify is installed. This works at least 
from dpkg 1.9.21 on.



Reply to: