Verify a mirror?

To: debian-user@lists.debian.org
Subject: Verify a mirror?
From: Hans <hans.ullrich@loop.de>
Date: Tue, 20 Sep 2022 09:33:01 +0200
Message-id: <[🔎] 3028749.zU6NIkxx0a@protheus2>

Dear list,

I asked myself, how can I check, if on a mirror are not manipulated packages. 

The background of this is: The institution of the government, I worked before, 
set up an own debian repo mirror, so that the servers of its network could be 
upgraded from it.

However, I mistrusted the institutation and feared, they manipulated packages 
and built in backdoors (for example) or other things.

Of course I can verify each single package with the original debian repo, but 
that is very toilsome.

I checked the apt-* packages, but none of it described my needs.

Is there a way (or maybe a package), how to check a mistrusted package and 
verify it against another trusted repository? 

Of course I know, any repo is trusted by a pgp-key (gpg-key), but then I trust 
the whole source. This is clear for me. But I want to check every single 
package (with identical versions of course), to give such traitors no chance.

Is this possible at all?

Thanks for any hints.

Best regards

Hans

Reply to:

Follow-Ups:
- Re: Verify a mirror?
  - From: Tim Woodall <debianuser@woodall.me.uk>

Prev by Date: Re: firmware: secure boot dbx with software-center but not apt?
Next by Date: Re: Verify a mirror?
Previous by thread: [solved] kmod not on-demand-loading modules with custom kernel
Next by thread: Re: Verify a mirror?
Index(es):
- Date
- Thread