Re: Integrity check against package repository?

To: debian-security@lists.debian.org
Subject: Re: Integrity check against package repository?
From: Paul Wise <pabs@debian.org>
Date: Tue, 30 Apr 2013 13:07:34 +0800
Message-id: <[🔎] CAKTje6EbVVEK1KjA7LRw9oZMac9=BB7ZBMP45jdm0vusAVYtwQ@mail.gmail.com>
In-reply-to: <[🔎] 1367294521.2612.1557.camel@Lappy.ARSec.local>
References: <[🔎] 517F1E87.30701@riseup.net> <[🔎] 1367294521.2612.1557.camel@Lappy.ARSec.local>

On Tue, Apr 30, 2013 at 12:02 PM, Matthew Babcock wrote:

> So I was just looking around on a mirror, and it seems that Debian is
> already fixing this large problem. I say that because if you look at the
> InRelease file, it is signed.
>
> However, I do not see aptitude update retrieving the InRelease file,
> only the Release file.

Perhaps you weren't watching when it downloaded the Release.gpg file?

Your suggestion has been implemented for a long time:

http://wiki.debian.org/SecureApt

If you want to verify Packages/Sources from a specific date you can
use snapshot.debian.org. Obviously you will come across OpenPGP key
expiry issues if the files are old enough.

http://snapshot.debian.org/

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

References:
- Integrity check against package repository?
  - From: adrelanos <adrelanos@riseup.net>
- Re: Integrity check against package repository?
  - From: Matthew Babcock <MBabcock@AandRSecurity.com>

Prev by Date: Re: Integrity check against package repository?
Next by Date: Re: Integrity check against package repository?
Previous by thread: Re: Integrity check against package repository?
Next by thread: Re: Integrity check against package repository?
Index(es):
- Date
- Thread