Re: .deb integrity check
On Fri, Jun 11, 1999 at 02:41:17PM +0200, Sarel Botha wrote:
> I think dpkg should do the checking, what if I wget and then dpkg to install a
> package? Just like the security advisories sent to bugtraq advise you to do.
Nahh.. Have it as a separate program.. Do you really want to work with dpkg
source? :-) Have dpkg call it if you must..
On Fri, Jun 11, 1999 at 00:17:28PM -0500, Manoj Srivastava wrote:
> Does not deal with compromised keys, or keys belonging to
> people not part of the project anymore. You can reduce this by
> providing ready access to to an uptodate debian keyring; but then
> come the problem of manually signing that with a secure Project key.
>
> Hmm. We need to ensure that the keyring I have downloaded is
> actually uncompromised, and then use that to check all packages to be
> installed ...
There's not much we can do for the average joe who installs Debian without
checking it's authenticity themselves. Web-pages with high exposure and
up-to-the-minute security information, including keys and fingerprints, is a
must.
I thought each maintainer's keys were already signed by a Debian key.. I was
wrong. Up-to-date keyring package sounds good.. signed itself of course.
--
------------------------------------
Robert Thomson -- Just call me Sir -=| UNIX is user friendly. |=-
c9805651@alinga.newcastle.edu.au -=| It's just selective about |=-
I prefer GNU/Linux -=| who its friends are. |=-
------------------------------------
Reply to: