I am planning to run a production server on Ubuntu LTS 8.04 and I am concerned about security of the packages I am installing I want to make sure that packages that are downloaded by apt-get were not tampered with.
- How do I view the digital signatures associated with a package in ubuntu?
- Does apt-get install, apt-get update, apt-get upgrade automatically check digital signatures when downloading, installing packages or do I need to pass a command line option for these checks to happen?
- Who am I trusting when I install a package using apt-get install assuming that the package is part of the ubuntu main distribution, am I trusting canonical, debian, or an open source contributor?
Best Answer
You are trusting that canonical compiled the program so it did not have any tampering that is not evident in the source code, and that they verified the signature on the source code from the ubuntu developer that uploaded it, or that debian did the same for the debian developer who uploaded it, if the package came from debian. You are trusting the developer who uploaded the source package, who of course, can not thoroughly review all of the upstream code, so you are also trusting all of the upstream open source contributors.