Re: Don't be misled [LWN.net]

Re: Don't be misled

Posted Sep 18, 2003 7:56 UTC (Thu) by tarvin (subscriber, #4412)
In reply to: Don't be misled by ncm
Parent article: Revisiting RPM Package Management

I've recently considered switching to Debian, because of the uncertainties surrounding the future of Red Hat's free distribution, and because of the very short support-lives that have been announced for the free versions of Red Hat's distribution.

Unfortunately, it seems that digital signing of deb-packages hasn't proceeded significantly. In effect, Debian still doesn't offer pgp-signed packages.
In my dark opinion, it's a simple matter of time before a major Debian mirror site is cracked and trojan-infected software is distributed. Without digitally signed packages, I wouldn't have much of a chance to detect such a situation.

Does anyone know if digitally signed deb-packages might be realistic with a forseeable future?

(Log in to post comments)

Re: Don't be misled

Posted Sep 18, 2003 9:38 UTC (Thu) by rganesan (subscriber, #1182) [Link]

Individual Debian packages are not signed but a Debian archive/mirror is quite safe. First, any upload of a package to the primary FTP site is digitally signed (not the package itself, but the package "description"). Next, debian signs a Release file which contains the md5sum of the "Packages" file which contains the list of all packages. Finally, the Packages file contains md5sums of each individual package. See
http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign