On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote: > On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote: > >The public Debian mirrors seem like an obvious target for governments to > >MITM. I know that the MD5s are also published, but unless you're > >verifying them with third parties, what's stopping the MD5s being > >compromised too? > > The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt? Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401453836.31698.123277245.0bfa1...@webmail.messagingengine.com