SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yes, anonymous login (username "anonymous" and e-mail address for password) should work. I just tried it too and got the same error -- "530 Limit reached. Visit http://www.slackware.com/getslack/ for mirrors." -- that rg3 got.
Yes, it would be nice to get the .asc and MD5sums from the official site to check downloaded packages when there's an update.
However, slackware.osuosl.org seems to work just fine.
Yes, it would be nice to get the .asc and MD5sums from the official site to check downloaded packages when there's an update.
As long as you have the Slackware GPG key, an .asc file from any mirror location should be as good as the one from slackware.com. There is no way the .asc file can be manipulated without getting errors in the "gpg --verify" step later on.
Again, you can treat slackware.osuosl.org as the master site. However, it's relevant to point out that, from the paranoid security point of view, it's not as simple as verifying the .asc file from any mirror. When there are security updates, a hypothetical evil mirror could just rename the old package file and signature, and it will not give any errors when verifying the signature. The user may or may not notice they're still using the vulnerable version.
There are two solutions that make sense. One is to download the CHECKSUMS.md5 files and their signatures, verifying those signatures, and then checking the MD5 sums of the downloaded packages. A second solution is to download the signatures from a master site, like slackware.osuosl.org, even when you download the packages themselves from a normal mirror.
Again, you can treat slackware.osuosl.org as the master site. However, it's relevant to point out that, from the paranoid security point of view, it's not as simple as verifying the .asc file from any mirror. When there are security updates, a hypothetical evil mirror could just rename the old package file and signature, and it will not give any errors when verifying the signature. The user may or may not notice they're still using the vulnerable version.
There are two solutions that make sense. One is to download the CHECKSUMS.md5 files and their signatures, verifying those signatures, and then checking the MD5 sums of the downloaded packages. A second solution is to download the signatures from a master site, like slackware.osuosl.org, even when you download the packages themselves from a normal mirror.
I think it's worth pointing out these details.
While you can spoof a .md5 file (by messing with the package and then re-generating the .md5 file) you can never spoof a GPG signature (the .asc file) because re-generating the content of the .asc file requires that you have Patric Volkerding's private GPG key plus his password in your possession.
Therefore, if a .asc file validates (gpg --verify) then you can be certain that you have the unmodified package, even if the .asc file was downloaded from a shady mirror site.
Therefore, if a .asc file validates (gpg --verify) then you can be certain that you have the unmodified package, even if the .asc file was downloaded from a shady mirror site.
Eric his method does actually work
You can simply rename the old file and it's .asc file to be the same as the newer patched version and they will verify perfectly.
The trick is not changing the data but rather making someone think they are getting a newer version when in fact they are keeping the same old version.
Code:
michael@indigo:/mnt/disk2/temp$ gpg -v --verify my-fake-package.txz.asc
gpg: armor header: Version: GnuPG v1.4.10 (GNU/Linux)
gpg: assuming signed data in `my-fake-package.txz'
gpg: Signature made Fri 25 Jun 2010 15:54:12 EST using DSA key ID 40102233
gpg: using PGP trust model
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
gpg: binary signature, digest algorithm SHA1
Last edited by wildwizard; 08-26-2010 at 06:56 AM.
Yes but that still gives you an actual original unmodified Slackware package. No harmful code will be installed.
But I get your point, and that is why there is also a CHECKSUMS.md5.asc file which allows you to validate the CHECKSUMS.md5 file as authentic and that verified & validated CHECKSUMS.md5 file in turn allows you to check the md5sum of every individual package. There is no way around that. If you rename a package it will get caught by a check of the md5sums.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
