[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#945283: users should check whether they get same packages as all other users get

Hi dinar,

On Wed, Nov 27, 2019 at 01:31:26PM +0300, dinar qurbanov wrote:

> curl http://security-cdn.debian.org/debian-security/dists/buster/updates/InRelease
> | diff /var/lib/apt/lists/mirror.yandex.ru_debian-security_dists_buster_updates_InRelease

> if there is no difference between files, than it is ok. then he can
> run "apt upgrade".

The files themselves are signed with Debian's archive key, so they can be
verified standalone using e.g.

    $ gpg \
        --no-default-keyring \
        --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
        --verify /var/lib/apt/lists/security.debian.org_debian-security_dists_buster_updates_InRelease

The signature has a timestamp, which is the publication date of the file,
and the file itself contains an expiry date. APT already performs this
check automatically, so a modified file would fail this check, and apt
would ignore it.

   Simon
Reply to: