On Tue, Apr 30, 2013 at 12:02 PM, Matthew Babcock wrote: > So I was just looking around on a mirror, and it seems that Debian is > already fixing this large problem. I say that because if you look at the > InRelease file, it is signed. > > However, I do not see aptitude update retrieving the InRelease file, > only the Release file.
Perhaps you weren't watching when it downloaded the Release.gpg file? Your suggestion has been implemented for a long time: http://wiki.debian.org/SecureApt If you want to verify Packages/Sources from a specific date you can use snapshot.debian.org. Obviously you will come across OpenPGP key expiry issues if the files are old enough. http://snapshot.debian.org/ -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EbVVEK1KjA7LRw9oZMac9=bb7zbmp45jdm0vusavy...@mail.gmail.com