(debian-kernel dropped from CC, since our kernels have already been reported to be safe elsewhere in the thread).
On Thu, 01 Sep 2011, Christoph Anton Mitterer wrote: > Any knowledge how far Debian's kernels and sources are concerned by this? > Do you guys take them from git, or from the kernel.org tar balls. > > How do you verify their integrity? Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, on the other hand... While the apt signature will protect users downloading packages through the package manager, users that get binary packages directly are not protected. Source packages are signed, but you have to check the signature _and_ make sure it was signed by a DD/DM. I am not sure what the kernel.org admin team will do to resync the mirrors. A rsync -c followed by a normal pulse would do it, but it is going to be _painful_ to both mirrors.kernel.org AND its upstream mirror, not to mention slow. Do we have a automated way to signature-check every binary and source package in a repository against the hashes in the signed release files? -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110901210501.gc12...@khazad-dum.debian.net