Re: How to verify package integrity after they have been downloaded?

To: debian-security@lists.debian.org
Subject: Re: How to verify package integrity after they have been downloaded?
From: Bernd Eckenfels <ecki@lina.inka.de>
Date: Sun, 06 Apr 2008 18:00:03 +0200
Message-id: <[🔎] E1JiXHn-00014D-00@calista.eckenfels.net>
In-reply-to: <[🔎] c7b40f9d0804051611r6e7f965aw24ed1038237901ba@mail.gmail.com>

In article <[🔎] c7b40f9d0804051611r6e7f965aw24ed1038237901ba@mail.gmail.com> you wrote:
> If you are talking about automating the verification process, that
> wouldn't quite work. The system that downloads the packages might have
> been compromised. The files that I would sign on that system might
> have been already modified at the time when I sign them.

Yes you are right, does not work in your scenario.

But you can use the unsecure system as a proxy and use apt-get/secure on the trusted machine.

Gruss
Bernd

Reply to:

References:
- Re: How to verify package integrity after they have been downloaded?
  - From: "Alexander Konovalenko" <alexkon@gmail.com>

Prev by Date: RE: How to verify package integrity after they have been downloaded?
Next by Date: Re: TR: How to verify package integrity after they have been downloaded?
Previous by thread: RE: How to verify package integrity after they have been downloaded?
Next by thread: Re: How to verify package integrity after they have been downloaded?
Index(es):
- Date
- Thread