Re: Verify a mirror?

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: Re: Verify a mirror?
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Tue, 20 Sep 2022 10:53:18 +0100 (BST)
Message-id: <[🔎] alpine.DEB.2.21.2209201041580.2545@einstein.home.woodall.me.uk>
In-reply-to: <[🔎] 3028749.zU6NIkxx0a@protheus2>
References: <[🔎] 3028749.zU6NIkxx0a@protheus2>

On Tue, 20 Sep 2022, Hans wrote:

Dear list,

I asked myself, how can I check, if on a mirror are not manipulated packages.

The background of this is: The institution of the government, I worked before,
set up an own debian repo mirror, so that the servers of its network could be
upgraded from it.

However, I mistrusted the institutation and feared, they manipulated packages
and built in backdoors (for example) or other things.

Of course I can verify each single package with the original debian repo, but
that is very toilsome.

I checked the apt-* packages, but none of it described my needs.

Is there a way (or maybe a package), how to check a mistrusted package and
verify it against another trusted repository?

Of course I know, any repo is trusted by a pgp-key (gpg-key), but then I trust
the whole source. This is clear for me. But I want to check every single
package (with identical versions of course), to give such traitors no chance.

Is this possible at all?

apt does this for you. There are a set of gpg public keys in
/etc/apt/trusted.gpg.d.

When apt downloads the releases file it verifies it with these keys. If
it cannot do that then it won't continue. (unless you're on a very old
distribution)

It then downloads the packages file and verifies its hash against the
one in the releases file that was signed.

And finally, when it downloads the package it verifies the hash against
the one in the packages file.

So you're safe using any mirror or http connection.

There is one possible concern if you're particularly worried about a
mirror - for a short time a mirror could delay updating which would mean
clients wouldn't get security fixes for known bugs. Eventually apt would
start complaining about the signature being too old.

Also, in rare cases, you might not want a government to know what
packages you're installing - e.g. crypto is restricted. Using https to a
mirror in another country will help but apt doesn't attempt to hide this
information and it might be possible to work out what was downloaded
just from bytes transferred and packet sizes to some degree.

Tim.

Reply to:

Follow-Ups:
- Re: Verify a mirror?
  - From: Hans <hans.ullrich@loop.de>
- Re: Verify a mirror?
  - From: David Christensen <dpchrist@holgerdanske.com>

References:
- Verify a mirror?
  - From: Hans <hans.ullrich@loop.de>

Prev by Date: Verify a mirror?
Next by Date: Re: question re tar
Previous by thread: Verify a mirror?
Next by thread: Re: Verify a mirror?
Index(es):
- Date
- Thread