[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mirrors security

Do I really have to check all .deb files of Packages files if I have already checked all Packages' files themselves and they do check? AFAIK apt-get always check if md5 (from Packages files it downloads) does not match and warns/forbids the user of intalling such a "dirty" package. I mean, what really matters is to check if all Packages{,.gz} have got a good signature from Archiver, am I right?


On Sat, 5 Feb 2005, Brendan O'Dea wrote:

On Fri, Feb 04, 2005 at 08:32:55PM -0200, Felipe Massia Pereira wrote:
I'd like to know more about security procedures for mirrors, mainly how
to check the repository for malicious corruption, and if there is a
channel which could be used to notify users who download from my mirror.

The checksums of the Packages files for a distribution are contained in
the dists/DIST/Release file, with a detached signature Release.gpg .

This provides a chain of trust by which each package may be verified
against a checksum in the Packages file, which itself may be verified
using the signed Release file.

There is a patch to APT to do this automatically, currently only applied
to the experimental version.

As checking an entire mirror, I don't know of anything which currently
does this, but the process should be fairly straightforward:

 1. For each distribution D, verify dist/D/Release{,.gpg} against the
    archive key.

 2. Check the md5sums of the files listed in each Release file.
 3. Check the md5sums of the packages listed in each Packages file.


To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: