[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mirrors security

On Fri, Feb 04, 2005 at 08:32:55PM -0200, Felipe Massia Pereira wrote:
>I'd like to know more about security procedures for mirrors, mainly how 
>to check the repository for malicious corruption, and if there is a 
>channel which could be used to notify users who download from my mirror.

The checksums of the Packages files for a distribution are contained in
the dists/DIST/Release file, with a detached signature Release.gpg .

This provides a chain of trust by which each package may be verified
against a checksum in the Packages file, which itself may be verified
using the signed Release file.

There is a patch to APT to do this automatically, currently only applied
to the experimental version.

As checking an entire mirror, I don't know of anything which currently
does this, but the process should be fairly straightforward:

  1. For each distribution D, verify dist/D/Release{,.gpg} against the
     archive key.

  2. Check the md5sums of the files listed in each Release file.
  3. Check the md5sums of the packages listed in each Packages file.


Reply to: