On 14527 March 1977, Christoph Biedl wrote: > Well, this creates trust for the path until (but excluding) that > particular mirror only. Can I trust the mirror? And even if, there's no > guarantee the mirror got the data through a trusted path.
And why the heck would you ever trust any mirror? If you have to, you lost already and do it wrong. https gains you NOTHING at all. It's perfectly fine to use ANY mirror, however untrustworthy that one may be. Because their (operators) conduct does not matter at all. The Debian archive and its tools are setup so that you do not need to trust them and that you notice if they do want to f*ck with you. As long as you - verified the cd image you installed from against the checksum file provided by the debian cd team, signed by their key, - do not disable signature checking in apt, - do not add random gpg keys to your trust store, you are fine. Now, if you want to manually download a .deb and dpkg -i it - then you have to manually do the same steps apt & co do: Get the corresponding packages and (In)Release files, verify its signature validates against the archive key, then verify the checksum of the Packages and then the .deb file. If you don't follow this, you lost, but you asked for it. And before someone comes with hiding information from a sniffer: https does not help you there, use tor to not have people know which packages you just downloaded. https does not hide this from a sniffer. -- bye, Joerg
