Hotmail live connector bug again ...
> Hi,> > If some packages are localy modified, This suggests that your local
> system is already compromised.> :¬ > > De : Alexander Konovalenko
> [mailto:[EMAIL PROTECTED] > Envoyé : samedi, 5. avril 2008 06:11> À :
> [email protected]> Objet : How to verify package integrity
> after they have been downloaded?> > I would like to verify that some .deb
> files I downloaded a while ago> (using apt) haven't been tampered with.
> (Actually, I'll be doing this> kind of thing more than once.) I have the
> appropriate Release,> Release.gpg and Packages files.> > As the apt-secure(8)
> manual page states, apt verifies the integrity of> the .deb packages when it
> downloads them. But it doesn't do so when> installing from cache. To make
> sure, I manually modified a .deb file> in /var/cache/apt/archives/ and
> installed that package with apt-get.> The modified package was installed
> without any warnings.> > (I'm working on Ubuntu 7.10 but I think there's no
> difference here> between Debian and Ubuntu. Please correct me if I'm wrong.)>
> > I can verify the signature of the Release file and check the hash-sum> of
> the Packages file by hand. But there are a lot of .deb files to> verify. I
> could write a script that would parse the Packages file and> extract the
> checksums so that its output could be fed to the> {md5,sha1,sha256}sum -c
> commands. But it would take considerable> effort to make the script robust
> enough so that it doesn't break on> new or malicious Packages files.> > Is
> there a simpler way to verify the integrity of .deb packages that> were
> downloaded with apt?> > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED]>
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]> >
