Re: How to verify package integrity after they have been downloaded?
On Sun, Apr 6, 2008, Julien Stuby <firstname.lastname@example.org> wrote:
> If some packages are localy modified, This suggests that your local system is already compromised.
Of course. I will be verifying the integrity of my .deb files from
another, more trusted system (a LiveCD or a hardened host that have
never been connected to any network, etc.). So the compromise of my
system won't prevent me from checking the package integrity securely.
The second system is not immune. It might have a vulnerability in its
filesystem layer or in the code that processes the Release and
Packages files, and a local IDS might not be able to detect the
exploitation of such a vulnerability. But that is acceptable because
the attack surface of the trusted system is much reduced compared to
that of the first system.