On Thu, May 16, 2002 at 09:26:52AM +0100, Colin Watson wrote: > On Wed, May 15, 2002 at 08:19:29PM -0400, Andy Saxena wrote: > > Since the Packages.gz has md5sums for the entire package, one scheme > > would be to download this file from a trusted source, like the main > > Debian website, and then compare these checksums to the downloaded > > packages that come from a mirror site. > > > > Has somebody already come up with a package that does this? > > apt itself checks the MD5sum: fields in Packages files, so all you need > to do is verify Packages. There's a Release file on mirrors that > contains an MD5sum of Packages, and it's accompanied by a signature > (Release.gpg). See http://www.debian.org/releases/stable/ for how to > verify it. >
Infinitely easier than what I had suggested earlier. > There's a script that does all this here: > > http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s7.3 > > > Again, my knowledge on this topic may be lacking, but it seems a lot > > of trust is placed in the administrators of mirror sites. How > > difficult would it be for an errant administrator to substitute the > > official packages with one of his own trojans? > > Not inconceivable, although, as with most of these things, the attacker > would only get one chance before it was widely publicized that that > mirror was one to be avoided. > > There are plans afoot for signed .debs, so that every package would come > with a PGP/GPG signature in the same way source packages do now. There's > a debsigs package in woody and support in dpkg ready for if and when > that's deployed. > Thanks for the info. You are right about the publicity being a check against this, but at the same time that mirror could get hacked into without the admin knowing about it till it's too late. -Andy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]