Re: (fwd) OpenSSH trojan!

To: debian-security@lists.debian.org
Subject: Re: (fwd) OpenSSH trojan!
From: Jussi Ekholm <ekhowl@goa-head.org>
Date: Sat, 3 Aug 2002 11:47:19 +0300
Message-id: <[🔎] 20020803084719.GH14031@erpland>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 878z3pcpnd.fsf@CERT.Uni-Stuttgart.DE>
References: <[🔎] Pine.LNX.4.21.0208021707430.26167-100000@bilmuh> <[🔎] 878z3pcpnd.fsf@CERT.Uni-Stuttgart.DE>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> wrote:
> There isn't an easy way to determine whether a Debian package is
> authentic or not.  I'm not even sure what "authentic" means in this
> context.

You are most likely correct, but I'm just mapping my options here; are
Debian packages md5summed regularily? If so, I have ``debsums'' package
installed. Does this software check the MD5 checksum before the package
is installed with apt - or is this just wishful thinking?

I was just wondering about the policy, in general - too. Are the
"official" Debian packages created with MD5 checksum file, as well? And
does ``debsums'' work in conjunction with apt, so it would check the
package and checksum file before apt installs it? As I said, just
mapping my options here...

- -- 
Jussi Ekholm  --  <ekhowl@goa-head.org>  --  http://erppimaa.ihku.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9S5iXAtEARxQQCB4RAtO2AJ9jqY9IM3LuRiB6eCV6hhlczdrCYQCeO5k+
m6ad2IkzWvAwYNSpM9scC2Q=
=hyFw
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: (fwd) OpenSSH trojan!
  - From: Marcel Weber <mmweber@ncpro.com>

References:
- Re: (fwd) OpenSSH trojan!
  - From: Halil Demirezen <halild@bilmuh.ege.edu.tr>
- Re: (fwd) OpenSSH trojan!
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: potato libssl09 package vulnerable?
Next by Date: Re: (fwd) OpenSSH trojan!
Previous by thread: Re: (fwd) OpenSSH trojan!
Next by thread: Re: (fwd) OpenSSH trojan!
Index(es):
- Date
- Thread