Re: .deb integrity check

To: Amos Shapira <amos@gezernet.co.il>
Cc: debian-devel@lists.debian.org
Subject: Re: .deb integrity check
From: Joey Hess <joey@kitenet.net>
Date: Wed, 9 Jun 1999 23:17:59 -0700
Message-id: <[🔎] 19990609231759.A6735@kitenet.net>
Mail-followup-to: Amos Shapira <amos@gezernet.co.il>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 19990610083131V.amos@gezernet.co.il>; from Amos Shapira on Thu, Jun 10, 1999 at 08:31:31AM +0300
References: <[🔎] 19990609232156.A24276@via.ecp.fr> <[🔎] 19990610083131V.amos@gezernet.co.il>

Amos Shapira wrote:
> It should be somehow possible to verify WHICH key should be verified,
> and be able to obtain this in an independent way (i.e. if the package
> is modified, and the key to be verified is directed to the cracker's
> key then your verification wouldn't reveal this, would it?).

If the package has to be signed by a key in the debian keyring, which itself
must be signed by a single key, they can't do this.

It then becomes a matter of making sure people know what that key is and
preventing anyone from replacing it with a different key somewhere. I think
that's where we left off last time this discussion came around.

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: .deb integrity check
  - From: Amos Shapira <amos@gezernet.co.il>

References:
- .deb integrity check
  - From: Hugo Haas <hugo@debian.org>
- Re: .deb integrity check
  - From: Amos Shapira <amos@gezernet.co.il>

Prev by Date: Re: .deb integrity check
Next by Date: Re: .deb integrity check
Previous by thread: Re: .deb integrity check
Next by thread: Re: .deb integrity check
Index(es):
- Date
- Thread