Hi, i have a question about how to verify integrity of Debian packages. I want to verify that all packages that are to be installed are from "official Debian mirror uploads".
Reason for this is to run Linux (preferably Debian ;-) in somewhat more secure environments. I had a curious situation about this yesterday, when i installed a new potato system from deb ftp mirrors. Installing the system was no problem, but when i installed xdm i lost my passwd and shadow file, and rebooting showed a lot of filesys errors. After the third try with same result i switched to woody, which runs fine now. First i just wondered about potato (== stable!!) or my capabilties to install it and didn't think much more about it. But in the meantime i heard of an similar problem with some customers of us, and some people were getting concerned about security. Especially they heard of rumors about root-kits that "kill" passwd's and the like. This can kick Debian online install/update out of companies. I remember Debian folks wher talking about some kind of checksums to integrate in package manager system (dpkg e.a.) some time ago. Is there any work in progress, where can i find out more about this? I took a look on Debian's documentation and security section but did not find anything about this. Gerhard
