.deb integrity check

To: debian-devel@lists.debian.org
Subject: .deb integrity check
From: Hugo Haas <hugo@debian.org>
Date: Wed, 9 Jun 1999 23:21:56 +0200
Message-id: <[🔎] 19990609232156.A24276@via.ecp.fr>

Hi all.

(I remember that this subject came up some months ago, but I can't remember
or find the conclusion)

I have realised that dpkg can't check the package integrity. Somebody could
crack ftp.debian.org, put a new login package and get tons of passwords.

rpm has a --checksig option to verify the integrity of the package. Of
course, you can still compromise the PGP key found in the rpm package, but
it's better than nothing to my mind.

I think it would be interesting to PGP-sign the md5sums file included in
the packages with a Debian key and add an option to check this signature.

Any comments?

-- 
Hugo Haas (http://www.via.ecp.fr/~hugo/)
It might look like I'm doing nothing, but at the cellular level I'm really
quite busy.

Reply to:

Follow-Ups:
- Re: .deb integrity check
  - From: Amos Shapira <amos@gezernet.co.il>
- Re: .deb integrity check
  - From: Chris Waters <xtifr@dsp.net>

Prev by Date: Re: LSB specification for adding users and groups
Next by Date: Re: want to help with Afterstep
Previous by thread: Re: LSB specification for adding users and groups
Next by thread: Re: .deb integrity check
Index(es):
- Date
- Thread