That seems the best way. The seconde step will be to use an another OS that the first to reduce even more attack surface from readed disk.
-- Julien -----Message d'origine----- De : Alexander Konovalenko [mailto:[EMAIL PROTECTED] Envoyé : samedi, 5. avril 2008 22:33 À : [email protected] Cc : Julien Stuby Objet : Re: How to verify package integrity after they have been downloaded? On Sun, Apr 6, 2008, Julien Stuby <[EMAIL PROTECTED]> wrote: > Hi, > > If some packages are localy modified, This suggests that your local system > is already compromised. > :¬ Of course. I will be verifying the integrity of my .deb files from another, more trusted system (a LiveCD or a hardened host that have never been connected to any network, etc.). So the compromise of my system won't prevent me from checking the package integrity securely. The second system is not immune. It might have a vulnerability in its filesystem layer or in the code that processes the Release and Packages files, and a local IDS might not be able to detect the exploitation of such a vulnerability. But that is acceptable because the attack surface of the trusted system is much reduced compared to that of the first system. -- Alexander
