i believe .deb's have checksums .. and at least as far as "official" packages go, using apt anyways, that usually grabs the 'master' package listing, does dpkg automatically check the checksum on installation or no? if not it would be a nice feature.. i know rpms have some form of checksum(pgp i think) but from what ive seen you gotta use rpm manually to check it.
and while creating a native .deb probably is beyond the knowledge of most people(either they never bothered to learn or some other reason) it is quite easy to turn a rpm into a deb with alien, even though it won't be a good deb package(with all the fancy scripts) it can give a false sense of security if you think that just cuz its a .deb its safe. from the reports ive read in the past hacked ftp sites are usually caught pretty quick(within hours?) nate On Wed, 1 Mar 2000, Kenneth Scharf wrote: schark >There are two questions to this issue: schark >1: Do you trust your distro? schark >2: Do you trust your distro's ftp site. schark > schark >Question number two is really a matter of the site schark >having been hacked and a trojan (or a coo-coo) being schark >planted. schark > schark >I use debian, and I DO trust them. I would never have schark >a problem downloading a .deb file from the official schark >debian site or a trusted mirror. In fact it is a schark >little different with .deb's. RPM's are EVERYWHERE, schark >and ANY Tom, Dick, or Harry can create them. DEB's schark >seem to be created mostly by Debian personal (though schark >there are some non-official ones). The reason for schark >this is that the tools necessary to create DEB's are schark >not as well documented and understood, so only real schark >debian developers are using them. Of course with schark >Corel and Stormix in the picture now, this might be schark >changing. schark > schark >--- Tim Jones <[EMAIL PROTECTED]> wrote: schark >> Tom Schaefer wrote: schark >> > schark >> > I know this is a Linux list, but a friend of mine schark >> had this schark >> > exchange with one of the people from FreeBSD back schark >> in November, schark >> > regarding Linux vs. FreeBSD and I thought you schark >> folks might like schark >> > to read it ... it may prompt some of you to schark >> actually go make a schark >> > boot floppy and install straight from the net ... schark >> Keith, my schark >> > friend had written an article, to which Daniel schark >> Sobral, schark >> > (FreeBSD) responded, and this is only one of schark >> several of the schark >> > emails exchanged: schark >> > schark >> > ===== cut here ===== schark >> schark >> Wow, Tom, thanks for copying me on this exchange. I schark >> found it schark >> VERY interesting. This, plus Carlos's information schark >> that there ARE schark >> indeed multiple fallback sites built in for schark >> everything under schark >> /usr/ports, makes me want to explore FreeBSD so much schark >> more. schark >> schark >> One other thing that I noticed during my FreeBSD schark >> box's schark >> compilation, but forgot about until reminded by that schark >> article, was schark >> that the source packages' MD5 checksums are part of schark >> the process schark >> to help ensure that you're not downloading a trojan. schark >> schark >> schark >> This brings up a serious trust issue: It's only a schark >> matter of time schark >> (could have already happened, for all we know) schark >> before somebody at schark >> one of the RPM-based distro companies inadvertantly schark >> puts out a schark >> binary RPM that does something nasty and/or covert schark >> to our schark >> systems. Or maybe it won't be so innocent: some schark >> scummy PHB will schark >> get the bright idea to have the coders slip in a schark >> piece of code to schark >> 'survey' which programs we use the most, or to schark >> 'sign' content you schark >> produce with your ethernet card's MAC address (MS schark >> does this with schark >> Word, they called it a bug, gimme a break!) Yes, schark >> they provide schark >> SRPMS too, but how do you know the RPMS came schark >> directly from the schark >> SRPMS? schark >> schark >> The question comes down to: Do you trust your schark >> distro provider to schark >> build all of your binaries cleanly? In a couple schark >> years when schark >> pressure comes from Wall Street to turn a profit or schark >> lose that schark >> huge market capitalization, can we trust them to schark >> still play schark >> straight with us? schark >> schark >> Don't get me wrong: I'm very pro-business! I work schark >> for myself, schark >> and am doing pretty nicely, and hope to do even schark >> better - it's schark >> wonderful, I wish more people could enjoy it... but schark >> the misdeeds schark >> of the very largest companies (MS, AOL, Disney, schark >> Sony, Amazon, schark >> Real Networks, MPAA/DVD-CSS, GTE, Bellsouth, Network schark >> Solutions, schark >> you get the idea) have taught me to distrust the schark >> very largest schark >> players. After money comes power, and in our world, schark >> these guys' schark >> idea of power includes intentional backdoors, schark >> sabotaging schark >> competing software, selective platform support, schark >> eyeballs, spam, schark >> restrictive contracts, and ads. I don't see that schark >> Linux companies schark >> are inherently immune to these things. schark >> schark >> I'm starting to think that building all your schark >> software only from schark >> trusted source *.tar.gz files is going to become schark >> standard schark >> practice among the paranoid (yes, I lean that way schark >> too, can you schark >> tell?). FreeBSD does that right now, and we need to schark >> either add schark >> Linux to the /usr/ports system, or come up with schark >> something similar schark >> in order to guard against these potential abuses. schark >> schark >> What do you think? schark >> schark >> Tim schark >> schark >--------------------------------------------------------------------------- schark >> Brought to you by the Florida Linux User Xchange, schark >> FLUX. schark >> Visit our webpage at: http://www.flux.org schark >> Mailing list subscription issues: schark >> http://www.flux.org/members/list.html schark >> schark > schark >===== schark >Amateur Radio, when all else fails! schark > schark >http://www.qsl.net/wa2mze schark > schark >Debian Gnu Linux, Live Free or ..... schark > schark > schark >__________________________________________________ schark >Do You Yahoo!? schark >Talk to your friends online with Yahoo! Messenger. schark >http://im.yahoo.com schark > schark > schark >-- schark >Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null schark > ----------------------------------------[mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336 http://www.linuxpowered.net/ Powered By: http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMP http://yahoo.aphroland.org/ -----------------------------------------[mailto:[EMAIL PROTECTED] ]-- 10:49am up 194 days, 23:13, 2 users, load average: 1.01, 1.03, 1.00
