apt download security?

To: debian-user@lists.debian.org
Subject: apt download security?
From: John Carline <jtc@stic.net>
Date: Tue, 07 Nov 2000 02:22:29 +0000
Message-id: <[🔎] 3A076765.6CA17E8E@stic.net>

Hi all,

The note at the end of this message was posted to a local users
group - mostly Red Hat users.

Since I've never worried about checksuming the incoming debs and
haven't a clue whether you can or not, I'm ill prepared to defend
Debian.

However, I'm not above accepting all the help I can find. Can
someone verify the statement below?  Or better yet, is the
statement wrong?   Is there a way to verify the integrity of the
downloaded debs?

Thanks
John


--------------------------------------------------------------------------

The Debian package system seems to work well, but it's designed
with the
nieve assumption that anyone with a mirror is a "good guy".
There's no
way to verify that the packeges you are installing are not
trojaned.  It
would be very simple for someone to post a trojaned package which
gives
remote root access and track who gets it.  Are there any plans to
add
some secure verification features to future versions of
apt-get/.deb?

Here's how you can verify and update your installation with rpm:

gpg --import /mnt/cdrom/RPM-GPG-KEY
rpm --checksig ftp://server/redhat/updates/7.0/i386/*.rpm
rpm -F ftp://server/redhat/updates/7.0/i386/*.rpm

---------------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: apt download security?
  - From: brichardson@lineone.net (Bruce Richardson)

Prev by Date: Re: MP3 and Floating Point exceptions
Next by Date: Re: smtp error
Previous by thread: Re: smtp error
Next by thread: Re: apt download security?
Index(es):
- Date
- Thread