When trying to install tmux I get an error that Untrusted packages could compromise your system's security, similar to the situation in this thread. I ran aptitude update and the package installed without issue, but I am concerned that the update may have been compromised. My concern in enhanced as I see that the update was done without SSL (http address):
- neptune():~$ sudo aptitude update
Ign http://il.archive.ubuntu.com quantal InRelease
Ign http://il.archive.ubuntu.com quantal-updates InRelease
Ign http://il.archive.ubuntu.com quantal-backports InRelease
Get: 1 http://il.archive.ubuntu.com quantal Release.gpg [933 B]
Get: 2 http://il.archive.ubuntu.com quantal-updates Release.gpg [933 B]
Get: 3 http://il.archive.ubuntu.com quantal-backports Release.gpg [933 B]
Hit http://il.archive.ubuntu.com quantal Release
Get: 4 http://il.archive.ubuntu.com quantal-updates Release [49.6 kB]
Ign http://security.ubuntu.com quantal-security InRelease
Ign http://archive.canonical.com quantal InRelease
Ign http://extras.ubuntu.com quantal InRelease
Ign http://dl.google.com stable InRelease
Ign http://ppa.launchpad.net quantal InRelease
Ign http://deb.opera.com stable InRelease
Ign http://ppa.launchpad.net quantal InRelease
EDIT: I have now been made aware that the targeted attacking of Israeli websites on April 7 has already begun. Therefore, there is increased suspicion of a compromised server. I could find more information about the attack if necessary, though I don't see much mention of it in widespread English-language news websites.
Clarification: I'm asking how to ensure that what I've already downloaded and installed is not compromised. I am not asking how Canonical ensures the security of repos.
I cannot tell you how you do it for all packages, but here is a possible procedure for single packages.
Warning: The site I suggest to use does (strangely) not support https yet - so you cannot be certain that you are really talking to the correct site, which makes the check much less useful than expected - as Eliah Kagan pointed out in a comment.
/var/cache/apt/archivesand choose suspicious packages (for instance those with a recent date)sha256sumagainst that packageDon't worry.
As Eliah explained in his comment, APT is secured using GnuPG. The public keys for the archives of Ubuntu are installed on your system and you should check those. After every download the file will be checked for integrity by the GPG/PGP signature and thus you can be sure nobody has tampered with. In case that fails, you'll see the exact warning you got in the first place.
A more thorough explanation, how to find and validate keys is described here: Ubuntu Community wiki: SecureApt
Using SSL won't make it more secure. The only thing you'll be hiding for all peers in between you and the archive server is what you're transferring/downloading and it won't protect anything more in respect to integrity.