Verify a mirror?
Dear list,
I asked myself, how can I check, if on a mirror are not manipulated packages.
The background of this is: The institution of the government, I worked before,
set up an own debian repo mirror, so that the servers of its network could be
upgraded from it.
However, I mistrusted the institutation and feared, they manipulated packages
and built in backdoors (for example) or other things.
Of course I can verify each single package with the original debian repo, but
that is very toilsome.
I checked the apt-* packages, but none of it described my needs.
Is there a way (or maybe a package), how to check a mistrusted package and
verify it against another trusted repository?
Of course I know, any repo is trusted by a pgp-key (gpg-key), but then I trust
the whole source. This is clear for me. But I want to check every single
package (with identical versions of course), to give such traitors no chance.
Is this possible at all?
Thanks for any hints.
Best regards
Hans
Reply to: