Re: Revival of the signed debs discussion
* Matt Zimmerman (firstname.lastname@example.org) [031204 22:25]:
> On Thu, Dec 04, 2003 at 03:58:38PM -0500, Daniel Jacobowitz wrote:
> > On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote:
> > > What kind of real world attacks do signed debs prevent?
> > >
> > > The only one which comes to mind is a rogue Debian developer that you do
> > > not wish to trust, even though the project trusts him.
> > Someone pretending to be someone Manoj trusts, offering him a corrupted
> > .deb offline?
> s/offline/without the corresponding signed metadata/
> The advantage would certainly appear to be one of convenience (keeping
> everything in one file), rather than security (preventing attacks).
If it is more convenient, than security actions are far more often
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C