Re: Official Debian digital 'branding' of debs
>>"Goswin" == Goswin Brederlow <email@example.com> writes:
Goswin> Manoj Srivastava <firstname.lastname@example.org> writes:
>> >>"Rene" == Rene Mayrhofer <email@example.com> writes:
>> To compromise the security, one would have to not only have
>> compromised the master key, one would have had to compromise the
>> debian keyring package, which is also signed by the maintainer.
Goswin> How would that make Deb files more secure (apart from the keyring
Goswin> package itself?) or is the md5sum in the packages file secure enough?
The assumption is that each package is signed by the
maintainer (and, possibly, have the detached signature be a part of
the .deb file itself, but, failing that, have the changes files
preserverved until we can get dpkg hacked).
"... And remember: if you don't like the news, go out and make some
of your own." "Scoop" Nisker, KFOG radio reporter Preposterous Words
Manoj Srivastava <firstname.lastname@example.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E