[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mirrors security

On Tue, Feb 08, 2005 at 03:17:12AM -0200, Felipe Massia Pereira wrote:
>Do I really have to check all .deb files of Packages files if I have 
>already checked all Packages' files themselves and they do check? AFAIK 
>apt-get always check if md5 (from Packages files it downloads) does not 
>match and warns/forbids the user of intalling such a "dirty" package. I 
>mean, what really matters is to check if all Packages{,.gz} have got a 
>good signature from Archiver, am I right?

Right.  APT does check that step, so if all you wish to do is ensure
that you are serving valid Packages files to users then steps 1 and 2 I
outlined are fine.

Step 3 is only required if you wish to verify for yourself the integrity
of the mirror, or to cater for users who may download packages via wget
or whatever to install directly with dpkg.


Reply to: