[Secure-testing-team] Re: announcing the beginning of security
support for testing
Marty
martyb at ix.netcom.com
Mon Sep 12 22:51:22 UTC 2005
Could a list of md5sums be provided for this archive, like the file
/debian/indices/md5sums.gz in the main (debian) archive? With the help
of a simple script, this file allows me to check the package integrity in my
mirror of the main debian archive. I am hoping that this method can be used
for other archives as well, as an alternative to the currently recommended
checking method.
The problem with the secure-testing checking procedure (which is also used
by security.debian.org and marillat archives) is that it requires apt 0.6.*
Unfortunately, the version of apt in debian testing is only 0.5.28.6 and in
any case it will be a long time before all of my systems run apt version 0.6
or higher.
In addition, the recommended checking procedure only checks packages
during installation, if I understand it correctly -- it cannot check the
inegrity of an entire mirror archive. For my purposes, I need to check
the integrity of all packages in my local archives, before I attempt to
install them.
Compounding this problem is the fact that rsync to the (primary) secure-testing
archive is disallowed using the -c (checksumming) option, understandably so.
rsync with checksumming has been my workaround with my local debian-security archive.
*See http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s-deb-pack-sign
which is referenced by the Debian security FAQ.
More information about the Secure-testing-team
mailing list