Re: dinstall and PGP

To: debian-devel@lists.debian.org
Subject: Re: dinstall and PGP
From: Enrique Zanardi <ezanardi@ull.es>
Date: Wed, 8 Apr 1998 20:50:56 +0100
Message-id: <[🔎] 19980408205056.49491@molec3>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 19980408202348.03829@wonderland.linux.it>; from Marco d'Itri on Wed, Apr 08, 1998 at 08:23:48PM +0200
References: <[🔎] 19980408202348.03829@wonderland.linux.it>

On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote:
> Can someone hack dinstall to install packages which are not PGP signed
> but has been copied to incoming? If the UID of the files is the one of a
> developer we can know who did upload the package.

No. We know which account the uploader used. (Even that is not true. The
uploader may have changed the UID if he obtained root privileges, but
then he can bypass dinstall). And what about packages uploaded to chiar
or erlangen?

We should be talking about improving our security instead (by signing the 
packages, and not the .changes file). One of these days we will find
trojan horses in Debian packages at compromised mirror sites, and will
have to hear all that "But, RPM packages are PGPsigned..." stuff again
and again.

--
Enrique Zanardi						   ezanardi@ull.es
Dpto. Fisica Fundamental y Experimental			Univ. de La Laguna

--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: dinstall and PGP
  - From: Fabien Ninoles <crow@nightbird.tzone.org>

References:
- dinstall and PGP
  - From: "Marco d'Itri" <md@linux.it>

Prev by Date: I18N (was Re: package pre-selections tool)
Next by Date: Re: dinstall and PGP
Previous by thread: dinstall and PGP
Next by thread: Re: dinstall and PGP
Index(es):
- Date
- Thread