Dear list, I asked myself, how can I check, if on a mirror are not manipulated packages.
The background of this is: The institution of the government, I worked before, set up an own debian repo mirror, so that the servers of its network could be upgraded from it. However, I mistrusted the institutation and feared, they manipulated packages and built in backdoors (for example) or other things. Of course I can verify each single package with the original debian repo, but that is very toilsome. I checked the apt-* packages, but none of it described my needs. Is there a way (or maybe a package), how to check a mistrusted package and verify it against another trusted repository? Of course I know, any repo is trusted by a pgp-key (gpg-key), but then I trust the whole source. This is clear for me. But I want to check every single package (with identical versions of course), to give such traitors no chance. Is this possible at all? Thanks for any hints. Best regards Hans
