Re: Integrity check against package repository?
On Tue, Apr 30, 2013 at 12:02 PM, Matthew Babcock wrote:
> So I was just looking around on a mirror, and it seems that Debian is
> already fixing this large problem. I say that because if you look at the
> InRelease file, it is signed.
> However, I do not see aptitude update retrieving the InRelease file,
> only the Release file.
Perhaps you weren't watching when it downloaded the Release.gpg file?
Your suggestion has been implemented for a long time:
If you want to verify Packages/Sources from a specific date you can
use snapshot.debian.org. Obviously you will come across OpenPGP key
expiry issues if the files are old enough.