On 9/20/22 02:53, Tim Woodall wrote:
On Tue, 20 Sep 2022, Hans wrote:
I asked myself, how can I check, if on a mirror are not manipulated
packages.
apt does this for you. There are a set of gpg public keys in
/etc/apt/trusted.gpg.d.
When apt downloads the releases file it verifies it with
Your clock appears to be fast by the precise number of seconds it took
for your post to leave your computer and reach my mail server.
Arrived: Tue, 20 Sep 2022 19:16:05 +0100 (BST)
Posted: Tue, 20 Sep 2022 20:16:05 +0200
That's the output of a tiny script that I was just tweaking, that
uses
On Tue, Sep 20, 2022 at 07:27:33PM +0100, Tim Woodall wrote:
> On Tue, 20 Sep 2022, Hans wrote:
>
> > Hi Tim,
> >
> > I am not sure, you are correct. But please correct me!
> > > apt does this for you. There are a set of gpg public keys in
> > > /etc/apt/trusted.gpg.d.
> > >
> >
> > Yes, apt
On Tue, Sep 20, 2022 at 08:16:05PM +0200, Thomas Schmitt wrote:
> Hi,
>
> to...@tuxteam.de wrote:
> > If some Evil Instance is controlling your whole internet, well...
> > your installation media will be already compromised.
>
> The attacker must not forget to fake the page with the Debian GPG
>
On Tue, 20 Sep 2022, Hans wrote:
Hi Tim,
I am not sure, you are correct. But please correct me!
apt does this for you. There are a set of gpg public keys in
/etc/apt/trusted.gpg.d.
Yes, apt is trusting the whole server, so it verifies, that a server who
claims to be repo.debian.org is the
Hi,
to...@tuxteam.de wrote:
> If some Evil Instance is controlling your whole internet, well...
> your installation media will be already compromised.
The attacker must not forget to fake the page with the Debian GPG
signatures:
https://www.debian.org/CD/verify
Further any contact has to be
On Tue, Sep 20, 2022 at 06:40:01PM +0200, Hans wrote:
> Hi Tim,
>
> I am not sure, you are correct. But please correct me!
> > apt does this for you. There are a set of gpg public keys in
> > /etc/apt/trusted.gpg.d.
> >
>
> Yes, apt is trusting the whole server, so it verifies, that a server
Hi Tim,
I am not sure, you are correct. But please correct me!
> apt does this for you. There are a set of gpg public keys in
> /etc/apt/trusted.gpg.d.
>
Yes, apt is trusting the whole server, so it verifies, that a server who
claims to be repo.debian.org is the real one, nothing else.
>
On Tue, 20 Sep 2022, Hans wrote:
Dear list,
I asked myself, how can I check, if on a mirror are not manipulated packages.
The background of this is: The institution of the government, I worked before,
set up an own debian repo mirror, so that the servers of its network could be
upgraded from
Dear list,
I asked myself, how can I check, if on a mirror are not manipulated packages.
The background of this is: The institution of the government, I worked before,
set up an own debian repo mirror, so that the servers of its network could be
upgraded from it.
However, I mistrusted the
10 matches
Mail list logo
