Re: verifying debian package integrity
On Sun, Apr 21, 2002 at 06:57:45AM +0800, csj wrote:
> On Fri, 19 Apr 2002 22:37:49 -0400
> Andy Saxena <andyML@nyc.rr.com> wrote:
>
> > Hi,
> >
> > I, like most of you, download deb packages from a mirror site. While
> > this mirror site is listed on debian's list of mirrors, is there anyway
> > to check the integrity of these deb packages automatically when I
> > download them?
> >
> > A possible setup would be to fetch the md5 checksums from the official
> > Debian website and run a check on the downloaded deb package.
> >
> > Any suggestions?
>
> Since you're asking for suggestions (rather than answers?), here's mine:
> use apt. When you apt-get a package, apt consults a Packages{.gz} file
> which contains the md5sums of the .deb you're installing. This will
> probably take care of the file integrity question, unless of course the
> Packages{.gz} file itself is trojaned.
Well put, but that's precisely my concern. I am surprised nobody else is
concerned by this missing security link.
On the same note, it would be nice to have a Packages like file on the
main debian website that could be used for this.
Thanks for the thought anyway.
-Andy
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: