Re: dinstall and PGP
On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote:
> Can someone hack dinstall to install packages which are not PGP signed
> but has been copied to incoming? If the UID of the files is the one of a
> developer we can know who did upload the package.
No. We know which account the uploader used. (Even that is not true. The
uploader may have changed the UID if he obtained root privileges, but
then he can bypass dinstall). And what about packages uploaded to chiar
or erlangen?
We should be talking about improving our security instead (by signing the
packages, and not the .changes file). One of these days we will find
trojan horses in Debian packages at compromised mirror sites, and will
have to hear all that "But, RPM packages are PGPsigned..." stuff again
and again.
--
Enrique Zanardi ezanardi@ull.es
Dpto. Fisica Fundamental y Experimental Univ. de La Laguna
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: