.deb integrity check
Hi all.
(I remember that this subject came up some months ago, but I can't remember
or find the conclusion)
I have realised that dpkg can't check the package integrity. Somebody could
crack ftp.debian.org, put a new login package and get tons of passwords.
rpm has a --checksig option to verify the integrity of the package. Of
course, you can still compromise the PGP key found in the rpm package, but
it's better than nothing to my mind.
I think it would be interesting to PGP-sign the md5sums file included in
the packages with a Debian key and add an option to check this signature.
Any comments?
-- 
Hugo Haas (http://www.via.ecp.fr/~hugo/)
It might look like I'm doing nothing, but at the cellular level I'm really
quite busy.
Reply to: