Question

3

How can I be sure that the updated packages are not compromised?

rated 0 times [ 3] [ 0] / answers: 1 / hits: 488 / 2 Years ago, thu, april 7, 2022, 9:53:13

When trying to install tmux I get an error that Untrusted packages could compromise your system's security, similar to the situation in this thread. I ran aptitude update and the package installed without issue, but I am concerned that the update may have been compromised. My concern in enhanced as I see that the update was done without SSL (http address):

 - neptune():~$ sudo aptitude update

Ign http://il.archive.ubuntu.com quantal InRelease

Ign http://il.archive.ubuntu.com quantal-updates InRelease

Ign http://il.archive.ubuntu.com quantal-backports InRelease

Get: 1 http://il.archive.ubuntu.com quantal Release.gpg [933 B]

Get: 2 http://il.archive.ubuntu.com quantal-updates Release.gpg [933 B]

Get: 3 http://il.archive.ubuntu.com quantal-backports Release.gpg [933 B]

Hit http://il.archive.ubuntu.com quantal Release

Get: 4 http://il.archive.ubuntu.com quantal-updates Release [49.6 kB]

Ign http://security.ubuntu.com quantal-security InRelease

Ign http://archive.canonical.com quantal InRelease

Ign http://extras.ubuntu.com quantal InRelease

Ign http://dl.google.com stable InRelease

Ign http://ppa.launchpad.net quantal InRelease

Ign http://deb.opera.com stable InRelease

Ign http://ppa.launchpad.net quantal InRelease

EDIT: I have now been made aware that the targeted attacking of Israeli websites on April 7 has already begun. Therefore, there is increased suspicion of a compromised server. I could find more information about the attack if necessary, though I don't see much mention of it in widespread English-language news websites.

Clarification: I'm asking how to ensure that what I've already downloaded and installed is not compromised. I am not asking how Canonical ensures the security of repos.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ippalogu

Add To Favorites

Follow

Total Points: 215

Total Questions: 127

Total Answers: 146

Location: Denmark

Member since Tue, Jul 19, 2022

2 Years ago

ippalogu questions

1 Setting up a bridge for host and vm

Tue, Jan 4, 22, 21:49, 2 Years ago

1 How effective is Deja Dup backups?

Tue, Sep 21, 21, 09:12, 3 Years ago

1 How automatically start VPN connection on computer startup in Ubuntu 21.10?

Mon, Mar 7, 22, 17:09, 2 Years ago

1 Cannot run Spyder on Ubuntu (windows bash)

Wed, May 19, 21, 02:24, 3 Years ago

1 File transfer from pixel 6 / Android 12 to Ubuntu

Mon, Dec 27, 21, 01:44, 2 Years ago

View All

answered 2 Years ago fulild · Accepted Answer

I cannot tell you how you do it for all packages, but here is a possible procedure for single packages.

Warning: The site I suggest to use does (strangely) not support https yet - so you cannot be certain that you are really talking to the correct site, which makes the check much less useful than expected - as Eliah Kagan pointed out in a comment.

visit packages.ubuntu.com

select your distro

select "all packages" (down at the bottom)

look into /var/cache/apt/archives and choose suspicious packages (for instance those with a recent date)

run a sha256sum against that package

choose that package on the website, you get

click on the link beneath Architecture

compare the result from step 5 with the published value.