Do I really have to check all .deb files of Packages files if I have
already checked all Packages' files themselves and they do check? AFAIK
apt-get always check if md5 (from Packages files it downloads) does not
match and warns/forbids the user of intalling such a "dirty" package. I
mean, what really matters is to check if all Packages{,.gz} have got a
good signature from Archiver, am I right?
--
Felipe
On Sat, 5 Feb 2005, Brendan O'Dea wrote:
On Fri, Feb 04, 2005 at 08:32:55PM -0200, Felipe Massia Pereira wrote:
I'd like to know more about security procedures for mirrors, mainly how
to check the repository for malicious corruption, and if there is a
channel which could be used to notify users who download from my mirror.
The checksums of the Packages files for a distribution are contained in
the dists/DIST/Release file, with a detached signature Release.gpg .
This provides a chain of trust by which each package may be verified
against a checksum in the Packages file, which itself may be verified
using the signed Release file.
There is a patch to APT to do this automatically, currently only applied
to the experimental version.
As checking an entire mirror, I don't know of anything which currently
does this, but the process should be fairly straightforward:
1. For each distribution D, verify dist/D/Release{,.gpg} against the
archive key.
2. Check the md5sums of the files listed in each Release file.
3. Check the md5sums of the packages listed in each Packages file.
--bod
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
