In <4a5f5d95.06e2660a.6fbc.4...@mx.google.com>, Sthu Deus wrote: >Thank You for Your time and answer, Johannes: >> > How I can find out from whence the file has come? >> >> Probably not at all. Your files will have the same md5sums no matter >> from where you've got the package (ie. it does not matter, if the >> package is from your DVD someone else's dvd or from some server over the >> internet, as long as the integrity of the files is ok (ie. md5sums). >> >> To verify you could try 'debsums ace-of-penguins' > >Actually, all I wanted here was to find out from which package come the > md5sums for each package - to understand how the check process works.
A package maintainer can include a debsums file in the package. When you install the debsums package it sets up an apt hook to generate a .debsums file when a package is installed and doesn't already have one. >I want to know, if I can check the integrity of a downloaded package > through FTP and not apt-get. - For if a check sum comes w/ the package - > then I can not trust it. Depends on how you got the package. There is a "chain of trust" between your apt keyring and the package contents. The Release and Packages files have detached signatures, which APT verifies to ensure they are trusted and not corrupt. The Packages file contains multiple hashes for each .deb package, which APT verifies to ensure they are trusted and not corrupt. The .deb package might contain a .debsums file. If not .debsums can be generated locally. So, *just after package installation* you can trust the .debsums. They are either from a trusted source or are generated locally (generally also a trusted source). The problem arises that the .debsums files are stored on the same (generally mutable) media that the package files are stored on. If an attacker modifies package files they can also modify the .debsums to match their modifications. Debsums is not meant to catch attackers, but to detect random corruption. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.