Re: Mirrors security

To: Felipe Massia Pereira <felipe@las.ic.unicamp.br>
Cc: debian-security@lists.debian.org
Subject: Re: Mirrors security
From: Brendan O'Dea <bod@debian.org>
Date: Wed, 9 Feb 2005 00:48:03 +1100
Message-id: <[🔎] 20050208134803.GA22726@londo.c47.org>
In-reply-to: <[🔎] Pine.LNX.4.61.0502080308380.30004@quasar.las.ic.unicamp.br>
References: <[🔎] 4203F817.8000602@las.ic.unicamp.br> <[🔎] 20050205044552.GA7353@londo.c47.org> <[🔎] Pine.LNX.4.61.0502080308380.30004@quasar.las.ic.unicamp.br>

On Tue, Feb 08, 2005 at 03:17:12AM -0200, Felipe Massia Pereira wrote:
>Do I really have to check all .deb files of Packages files if I have 
>already checked all Packages' files themselves and they do check? AFAIK 
>apt-get always check if md5 (from Packages files it downloads) does not 
>match and warns/forbids the user of intalling such a "dirty" package. I 
>mean, what really matters is to check if all Packages{,.gz} have got a 
>good signature from Archiver, am I right?

Right.  APT does check that step, so if all you wish to do is ensure
that you are serving valid Packages files to users then steps 1 and 2 I
outlined are fine.

Step 3 is only required if you wish to verify for yourself the integrity
of the mirror, or to cater for users who may download packages via wget
or whatever to install directly with dpkg.

--bod

Reply to:

References:
- Mirrors security
  - From: Felipe Massia Pereira <felipe@las.ic.unicamp.br>
- Re: Mirrors security
  - From: Brendan O'Dea <bod@debian.org>
- Re: Mirrors security
  - From: Felipe Massia Pereira <felipe@las.ic.unicamp.br>

Prev by Date: Re: Grsecurity patches on Debian
Next by Date: UNSUBSCRIBE
Previous by thread: Re: Mirrors security
Next by thread: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities
Index(es):
- Date
- Thread