There is a list of "official mirrors" available at: http://www.debian.org/misc/README.mirrors
Downloading your packages from any other site than on listed on this page significantly increases your odds of downloading an unofficial package (IE: Trojan Horse...) Regards, Phil > On Thu, 13 Dec 2001, Wichert Akkerman wrote: > > > > > There is a seperate plan for verifying signatures using apt. From > > memory this goes as follows: > > > > * deb packages are installed in the archive > > * the MD5 checksum for each package is listed in the Packages file > > * the MD5 checksum for each Packages file for a release is listed in > > the Release file > > * the archive creates a signature for the Release file that apt can > > verify > > > Hi, > > Forgive me if my question is rather naive. I have the following > scenario and am curious to know whethere this has already been addressed : > > 1. Mr. Cracker sets up a mirror and claims it is a mirror for Debian > distros. > 2. Mr. Cracker recompiles trojaned packages and recomputes the MD5 > checksums for them. These trojaned .debs are placed on the mirror. > > How would a person getting .debs from this mirror be able to > protect him/herself from such a situation? Would they have to exclusively > get .debs from the Debian site itself? > > Note that if the packages are PGP / GPG signed, the problem is > only a little less acute. Mr. Cracker could sign the package with his / > her key. How would a user know that Mr. Cracker is not infact the > maintainer? > > Regards, > Jor-el > > > -- > To UNSUBSCRIBE, email to debian-security- [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
