Re: apt download security?
But doesn't Package.gz contain the md5sum of all the .debs under the directory
it's in? I see a line in Package.gz (after decompressing) that reads something
like:
MD5sum: 7513d28d6ddde80706727944e9732c2c
Doesn't apt-get check this line before installing stuff?
On Wed, 08 Nov 2000, Bruce Richardson wrote:
> On Tue, Nov 07, 2000 at 02:22:29AM +0000, John Carline wrote:
> > However, I'm not above accepting all the help I can find. Can
> > someone verify the statement below? Or better yet, is the
> > statement wrong? Is there a way to verify the integrity of the
> > downloaded debs?
>
> dpkg -p debian-keyring
> man dscverify
>
> Also Packages.gz can and should be signed.
>
> Unfortunately, while source packages can be checked quite easily, they
> are not always verifiable. There is no simple mechanism for verifying
> debs *at all*. Nor even Packages.gz - and the integrity of Packages.gz
> isn't actually a guarantee of the integrity of any of the packages.
>
> So there is a hole here.
>
> --
> Bruce
>
> Remember you're a Womble.
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: