Re: Crypto signing of packages
Richard Jones <email@example.com> wrote:
>I don't even think maintainer key compromise is the most likely route of
>trojans, just as effective would be to compromise the maintainers machine,
>modifying either the original source on which the maintainer depends on for
>building the debian package or the patch to that source. If the maintainer
How? The original source is md5sum'med, and that md5sum is stored on the
Debian archive. (I'm assuming here that you're talking about second and
subsequent releases). The dinstall program will reject uploads with
incorrect md5sums (trust me, it's happened to me :-) in either the .dsc
or the .changes file.
In the Debian source, it would be seen in the patch.
'Course, this _would_ apply if you were uploading a trojan-ised -1
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com