Hi, On Fri, Nov 22, 2019 at 03:20:45PM +0300, dinar qurbanov wrote:
> so, in order to serve a package with malware to a > user, disrtribution/repository admins would have to also serve wrong > "packages" and "release" files to him. so, if user checks the > "release" file, that it is ok, enough, he can be sure that packages > are also ok. There is also the Release.gpg and InRelease files, which contain a PGP signature for the data in the Release file, anchoring the trust chain in a public key distributed inside the Debian installer, so an attacker cannot generate a Release file that will be accepted by apt. It is possible to delay updates by several days as apt accepts older timestamps on Release files, precisely so out-of-date mirrors can be used for noncritical updates. The security updates are distributed centrally, and the timestamp on those files is checked more stringently (the Release file on the security mirror has a Valid-Until field, after that time apt requires that package lists are refreshed). > from point of view of users, debian > may have to send malware to some users by government request. if to > say about all distributions, there may be malicious distributions. There is only one central point by which packages enter the mirror network, so comparing packages across mirrors does not give any advantage. If the central point is compromised, all mirrors are, if individual mirrors are compromised, these are unable to serve packages at all, because they do not have a valid signed Release file. Simon
