Re: signed package information

To: debian-user@lists.debian.org
Subject: Re: signed package information
From: David Z Maze <dmaze@debian.org>
Date: Tue, 25 Nov 2003 22:36:01 -0500
Message-id: <[🔎] y68wu9n4x9a.fsf@nerd-xing.mit.edu>
In-reply-to: <[🔎] 3FBE6058.9070503@tacocat.net> (Tom Allison's message of "Fri, 21 Nov 2003 13:58:32 -0500")
References: <[🔎] 3FBE6058.9070503@tacocat.net>

Tom Allison <tallison@tacocat.net> writes:

> I was just reading slashdot about the Debian distro and there was
> some discussion about the md5 signature of packages.
>
> Is there some way that this (is already or can be) implimented by
> default on package installations?

It's largely a matter of the maintainer generating the md5sum
information when they build the package; debsums(1) also has a
fragment you can drop in your APT configuration to generate md5sum
data for packages that don't include it.

But do note that this is isn't necessarily useful for security.  If
your machine has been compromised, you could be checking with a
compromised debsums or md5sum program, or the attacker can overwrite
the debsums md5sum files.  It *is* useful if you have questionable
hardware and want to see what installed packages are damaged.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- signed package information
  - From: Tom Allison <tallison@tacocat.net>

Prev by Date: Re: recommended Virus Scanner?
Next by Date: Re: recommended Virus Scanner?
Previous by thread: signed package information
Next by thread: aspell with mutt
Index(es):
- Date
- Thread