[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Integrity check against package repository?

On Tue, Apr 30, 2013 at 12:02 PM, Matthew Babcock wrote:

> So I was just looking around on a mirror, and it seems that Debian is
> already fixing this large problem. I say that because if you look at the
> InRelease file, it is signed.
> However, I do not see aptitude update retrieving the InRelease file,
> only the Release file.

Perhaps you weren't watching when it downloaded the Release.gpg file?

Your suggestion has been implemented for a long time:


If you want to verify Packages/Sources from a specific date you can
use snapshot.debian.org. Obviously you will come across OpenPGP key
expiry issues if the files are old enough.




Reply to: