Re: Mirrors security

[Felipe Massia Pereira <felipe@las.ic.unicamp.br>]

Do I really have to check all .deb files of Packages files if I have 
already checked all Packages' files themselves and they do check? AFAIK 
apt-get always check if md5 (from Packages files it downloads) does not 
match and warns/forbids the user of intalling such a "dirty" package. I 
mean, what really matters is to check if all Packages{,.gz} have got a 
good signature from Archiver, am I right?

--
Felipe

On Sat, 5 Feb 2005, Brendan O'Dea wrote:

> On Fri, Feb 04, 2005 at 08:32:55PM -0200, Felipe Massia Pereira wrote:
> > I'd like to know more about security procedures for mirrors, mainly how
> > to check the repository for malicious corruption, and if there is a
> > channel which could be used to notify users who download from my mirror.
>
> The checksums of the Packages files for a distribution are contained in
> the dists/DIST/Release file, with a detached signature Release.gpg .
>
> This provides a chain of trust by which each package may be verified
> against a checksum in the Packages file, which itself may be verified
> using the signed Release file.
>
> There is a patch to APT to do this automatically, currently only applied
> to the experimental version.
>
> As checking an entire mirror, I don't know of anything which currently
> does this, but the process should be fairly straightforward:
>
>  1. For each distribution D, verify dist/D/Release{,.gpg} against the
>     archive key.
>
>  2. Check the md5sums of the files listed in each Release file.
>  3. Check the md5sums of the packages listed in each Packages file.
>
> --bod
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org