apt download security?
Hi all,
The note at the end of this message was posted to a local users
group - mostly Red Hat users.
Since I've never worried about checksuming the incoming debs and
haven't a clue whether you can or not, I'm ill prepared to defend
Debian.
However, I'm not above accepting all the help I can find. Can
someone verify the statement below? Or better yet, is the
statement wrong? Is there a way to verify the integrity of the
downloaded debs?
Thanks
John
--------------------------------------------------------------------------
The Debian package system seems to work well, but it's designed
with the
nieve assumption that anyone with a mirror is a "good guy".
There's no
way to verify that the packeges you are installing are not
trojaned. It
would be very simple for someone to post a trojaned package which
gives
remote root access and track who gets it. Are there any plans to
add
some secure verification features to future versions of
apt-get/.deb?
Here's how you can verify and update your installation with rpm:
gpg --import /mnt/cdrom/RPM-GPG-KEY
rpm --checksig ftp://server/redhat/updates/7.0/i386/*.rpm
rpm -F ftp://server/redhat/updates/7.0/i386/*.rpm
---------------------------------------------------------------------------
Reply to: