Re: apt download security?

To: debian-user@lists.debian.org
Subject: Re: apt download security?
From: csj@mindgate.net
Date: Thu, 9 Nov 2000 09:04:07 +0800
Message-id: <[🔎] 00110909083205.01404@localhost.localdomain>
In-reply-to: <[🔎] 20001107224237.A15036@knossos>
References: <[🔎] 3A076765.6CA17E8E@stic.net> <[🔎] 20001107224237.A15036@knossos>

But doesn't Package.gz contain the md5sum of all the .debs under the directory
it's in? I see a line in Package.gz (after decompressing) that reads something
like:

MD5sum: 7513d28d6ddde80706727944e9732c2c

Doesn't apt-get check this line before installing stuff?

On Wed, 08 Nov 2000, Bruce Richardson wrote:
> On Tue, Nov 07, 2000 at 02:22:29AM +0000, John Carline wrote:
> > However, I'm not above accepting all the help I can find. Can
> > someone verify the statement below?  Or better yet, is the
> > statement wrong?   Is there a way to verify the integrity of the
> > downloaded debs?
> 
> dpkg -p debian-keyring
> man dscverify
> 
> Also Packages.gz can and should be signed.  
> 
> Unfortunately, while source packages can be checked quite easily, they
> are not always verifiable.  There is no simple mechanism for verifying
> debs *at all*.  Nor even Packages.gz - and the integrity of Packages.gz
> isn't actually a guarantee of the integrity of any of the packages.
> 
> So there is a hole here.
> 
> -- 
> Bruce
> 
> Remember you're a Womble.
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

References:
- apt download security?
  - From: John Carline <jtc@stic.net>
- Re: apt download security?
  - From: brichardson@lineone.net (Bruce Richardson)

Prev by Date: keyboard lock at boot
Next by Date: Re: Fetchmail, Procmail and multiple Email accounts
Previous by thread: Re: apt download security?
Next by thread: Perl 5.6 Upgrade
Index(es):
- Date
- Thread