On Thu, 13 Dec 2001, Wichert Akkerman wrote: > > There is a seperate plan for verifying signatures using apt. From > memory this goes as follows: > > * deb packages are installed in the archive > * the MD5 checksum for each package is listed in the Packages file > * the MD5 checksum for each Packages file for a release is listed in > the Release file > * the archive creates a signature for the Release file that apt can > verify > Hi,
Forgive me if my question is rather naive. I have the following scenario and am curious to know whethere this has already been addressed : 1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian distros. 2. Mr. Cracker recompiles trojaned packages and recomputes the MD5 checksums for them. These trojaned .debs are placed on the mirror. How would a person getting .debs from this mirror be able to protect him/herself from such a situation? Would they have to exclusively get .debs from the Debian site itself? Note that if the packages are PGP / GPG signed, the problem is only a little less acute. Mr. Cracker could sign the package with his / her key. How would a user know that Mr. Cracker is not infact the maintainer? Regards, Jor-el