LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Re: Don't be misled

Re: Don't be misled

Posted Sep 18, 2003 9:38 UTC (Thu) by rganesan (subscriber, #1182)
In reply to: Re: Don't be misled by tarvin
Parent article: Revisiting RPM Package Management

Individual Debian packages are not signed but a Debian archive/mirror is quite safe. First, any upload of a package to the primary FTP site is digitally signed (not the package itself, but the package "description"). Next, debian signs a Release file which contains the md5sum of the "Packages" file which contains the list of all packages. Finally, the Packages file contains md5sums of each individual package. See
http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds