On Wed, May 15, 2002 at 08:19:29PM -0400, Andy Saxena wrote: > Since the Packages.gz has md5sums for the entire package, one scheme > would be to download this file from a trusted source, like the main > Debian website, and then compare these checksums to the downloaded > packages that come from a mirror site. > > Has somebody already come up with a package that does this?
apt itself checks the MD5sum: fields in Packages files, so all you need to do is verify Packages. There's a Release file on mirrors that contains an MD5sum of Packages, and it's accompanied by a signature (Release.gpg). See http://www.debian.org/releases/stable/ for how to verify it. There's a script that does all this here: http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s7.3 > Again, my knowledge on this topic may be lacking, but it seems a lot > of trust is placed in the administrators of mirror sites. How > difficult would it be for an errant administrator to substitute the > official packages with one of his own trojans? Not inconceivable, although, as with most of these things, the attacker would only get one chance before it was widely publicized that that mirror was one to be avoided. There are plans afoot for signed .debs, so that every package would come with a PGP/GPG signature in the same way source packages do now. There's a debsigs package in woody and support in dpkg ready for if and when that's deployed. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
