Re: (fwd) OpenSSH trojan!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> wrote:
> There isn't an easy way to determine whether a Debian package is
> authentic or not. I'm not even sure what "authentic" means in this
> context.
You are most likely correct, but I'm just mapping my options here; are
Debian packages md5summed regularily? If so, I have ``debsums'' package
installed. Does this software check the MD5 checksum before the package
is installed with apt - or is this just wishful thinking?
I was just wondering about the policy, in general - too. Are the
"official" Debian packages created with MD5 checksum file, as well? And
does ``debsums'' work in conjunction with apt, so it would check the
package and checksum file before apt installs it? As I said, just
mapping my options here...
- --
Jussi Ekholm -- <ekhowl@goa-head.org> -- http://erppimaa.ihku.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9S5iXAtEARxQQCB4RAtO2AJ9jqY9IM3LuRiB6eCV6hhlczdrCYQCeO5k+
m6ad2IkzWvAwYNSpM9scC2Q=
=hyFw
-----END PGP SIGNATURE-----
Reply to: