At 11:11 AM 5/7/01 +0200, you wrote:
>Petr Cech wrote:
>
> > also there are now signed Packages files on mirrors, so you can just check
> > the Packages and MD5 sums of .deb files it contains.
>
>Is there a way (already existing or seen for the future) to prevent from faked
>packages/checksums, when someone "hijacks" an mirror and uploads some
>packages and info files with trojans and self generated checksums? There are
>lot's of mirrors around the world in meantime, an you can't realy tell "how
>secure" and therby how trustworthy they are.
>
> >>>>SNIP<<<<
>If the site is an official mirror, then the suspect files should be
>clobberd on the next rsync. The bigest danger would come it the root
>server were comprimised. however if this were to happen life would be
>bad. I would think if you were cincernd about suspect files then doing a
>rsync for just md5sum files off ot the main ftp server should in theory
>give you a "known good" base line.
>
> > Note that apt does MD5
> > check the file after download
>
>With an internal md5 checker? It's not depending on debsums, which i've just
>installed. Or does it use external "md5sum" binary"?
>
> Gerhard
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
John W. Bloodworth
Senior linux support technician
This answer was provided by the
Sutherland Support Center.
We provide solutions for most of your
Linux needs.
(800) 431-3787
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
