Re: Bug#945283: users should check whether they get same packages as all other users get
Hi dinar,
On Wed, Nov 27, 2019 at 01:31:26PM +0300, dinar qurbanov wrote:
> curl http://security-cdn.debian.org/debian-security/dists/buster/updates/InRelease
> | diff /var/lib/apt/lists/mirror.yandex.ru_debian-security_dists_buster_updates_InRelease
> if there is no difference between files, than it is ok. then he can
> run "apt upgrade".
The files themselves are signed with Debian's archive key, so they can be
verified standalone using e.g.
$ gpg \
--no-default-keyring \
--keyring /usr/share/keyrings/debian-archive-keyring.gpg \
--verify /var/lib/apt/lists/security.debian.org_debian-security_dists_buster_updates_InRelease
The signature has a timestamp, which is the publication date of the file,
and the file itself contains an expiry date. APT already performs this
check automatically, so a modified file would fail this check, and apt
would ignore it.
Simon
Reply to: