[NTLUG:Discuss] Package security in Debian?
Lance Simmons
lance at lsimmons.net
Tue Dec 18 17:45:08 CST 2001
On Tue, Dec 18, 2001 at 09:53:50AM -0600, brian at pongonova.net wrote:
> Is this simply not an issue with Debian users, or are there ways of
> being reasonably assured a Debian mirror is carrying authentic,
> non-trojaned packages?
I asked this question on the debian-user list. Apt automatically checks
the md5sum of each package it downloads against the md5sum the site
you're downloading the package from says it should be. You can also use
the debsums utility to check the md5sum of every file installed on your
system, to make sure it hasn't been changed since installation. (It's
very reassuring to run debsums and see that all your files are the same
as you installed.)
There is also a newer utility called debsig-verify that checks the
author's pgp or gnupg signature on downloaded packages, but so far very
few packages carry such signatures. When the practice of signing debian
packages becomes more widespread, that will be an extra check.
So far, then, all you can be sure is that you're installing the same
package that the site from which you're downloading says they're
offering, but you can't be 100% sure that the person running the site
hasn't tampered with the package and the database listing the md5sums.
Of course, even with author's signatures, when they become more
widespread, I suppose you still won't be able to be absolutely sure the
author hasn't done something sinister. But you'll only have to worry
about the author, not the person running the site from which you're
downloading.
--
.~.
/v\ Lance Simmons
// \\ lance at lsimmons.net
/( )\
__^_^________________________________________________________________________
I'm going to give my psychoanalyst one more year, then I'm going to Lourdes.
-- Woody Allen
More information about the Discuss
mailing list