On 9/20/22 02:53, Tim Woodall wrote:
On Tue, 20 Sep 2022, Hans wrote:
I asked myself, how can I check, if on a mirror are not manipulated packages.
apt does this for you. There are a set of gpg public keys in /etc/apt/trusted.gpg.d. When apt downloads the releases file it verifies it with these keys. If it cannot do that then it won't continue. (unless you're on a very old distribution) It then downloads the packages file and verifies its hash against the one in the releases file that was signed. And finally, when it downloads the package it verifies the hash against the one in the packages file. So you're safe using any mirror or http connection. There is one possible concern if you're particularly worried about a mirror - for a short time a mirror could delay updating which would mean clients wouldn't get security fixes for known bugs. Eventually apt would start complaining about the signature being too old. Also, in rare cases, you might not want a government to know what packages you're installing - e.g. crypto is restricted. Using https to a mirror in another country will help but apt doesn't attempt to hide this information and it might be possible to work out what was downloaded just from bytes transferred and packet sizes to some degree. Tim.
Is the Debian package distribution workflow/ infrastructure documented? If so, where is the documentation?
Has the Debian package distribution workflow/ infrastructure been audited for security? If so, by who? And, are there reports? If so, where are the reports?
David
