Hi all, The note at the end of this message was posted to a local users group - mostly Red Hat users.
Since I've never worried about checksuming the incoming debs and haven't a clue whether you can or not, I'm ill prepared to defend Debian. However, I'm not above accepting all the help I can find. Can someone verify the statement below? Or better yet, is the statement wrong? Is there a way to verify the integrity of the downloaded debs? Thanks John -------------------------------------------------------------------------- The Debian package system seems to work well, but it's designed with the nieve assumption that anyone with a mirror is a "good guy". There's no way to verify that the packeges you are installing are not trojaned. It would be very simple for someone to post a trojaned package which gives remote root access and track who gets it. Are there any plans to add some secure verification features to future versions of apt-get/.deb? Here's how you can verify and update your installation with rpm: gpg --import /mnt/cdrom/RPM-GPG-KEY rpm --checksig ftp://server/redhat/updates/7.0/i386/*.rpm rpm -F ftp://server/redhat/updates/7.0/i386/*.rpm ---------------------------------------------------------------------------