[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian package security


	The Packages file for the corresponding section hold the
 MD5sum of the .deb files.  For example, look at:

	Now, how do you know that the Packages file was not tampered
 with? The top level Release file has MD5Sums of the Packages files 

	Now, how do you know that the Release file has not been
 tampered with? Well, there is a detached signature of that file
 signed by ziyi, who is an automated script that creates Release files
 on the master archive. 

	How do you know that the signature is valid -- Hmm, pretty
 soon you shall be able to get the key from keyring.debian.org; but
 right now you need to know James Troup, and have access to
 master.debian.org (sorry).

 A bunch of Polish scientists decided to flee their repressive
 government by hijacking an airliner and forcing the pilot to fly them
 to the West.  They drove to the airport, forced their way on board a
 large passenger jet, and found there was no pilot on board.
 Terrified, they listened as the sirens got louder.  Finally, one of
 the scientists suggested that since he was an experimentalist, he
 would try to fly the aircraft. He sat down at the controls and tried
 to figure them out.  The sirens got louder and louder.  Armed men
 surrounded the jet.  The would be pilot's friends cried out, "Please,
 please take off now!!!  Hurry!!!" The experimentalist calmly replied,
 "Have patience.  I'm just a simple pole in a complex plane."
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: