Re: Mirrors security

To: debian-security@lists.debian.org
Subject: Re: Mirrors security
From: Brendan O'Dea <bod@debian.org>
Date: Sat, 5 Feb 2005 15:45:52 +1100
Message-id: <[🔎] 20050205044552.GA7353@londo.c47.org>
In-reply-to: <[🔎] 4203F817.8000602@las.ic.unicamp.br>
References: <[🔎] 4203F817.8000602@las.ic.unicamp.br>

On Fri, Feb 04, 2005 at 08:32:55PM -0200, Felipe Massia Pereira wrote:
>I'd like to know more about security procedures for mirrors, mainly how 
>to check the repository for malicious corruption, and if there is a 
>channel which could be used to notify users who download from my mirror.

The checksums of the Packages files for a distribution are contained in
the dists/DIST/Release file, with a detached signature Release.gpg .

This provides a chain of trust by which each package may be verified
against a checksum in the Packages file, which itself may be verified
using the signed Release file.

There is a patch to APT to do this automatically, currently only applied
to the experimental version.

As checking an entire mirror, I don't know of anything which currently
does this, but the process should be fairly straightforward:

  1. For each distribution D, verify dist/D/Release{,.gpg} against the
     archive key.

  2. Check the md5sums of the files listed in each Release file.
  3. Check the md5sums of the packages listed in each Packages file.

--bod

Reply to:

Follow-Ups:
- Re: Mirrors security
  - From: Felipe Massia Pereira <felipe@las.ic.unicamp.br>

References:
- Mirrors security
  - From: Felipe Massia Pereira <felipe@las.ic.unicamp.br>

Prev by Date: Re: Mirrors security
Next by Date: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities
Previous by thread: Re: Mirrors security
Next by thread: Re: Mirrors security
Index(es):
- Date
- Thread