Re: .deb integrity check

[Robert Thomson <robert.thomson@studentmail.newcastle.edu.au>]

On Fri, Jun 11, 1999 at 02:41:17PM +0200, Sarel Botha wrote:
> I think dpkg should do the checking, what if I wget and then dpkg to install a
> package? Just like the security advisories sent to bugtraq advise you to do.

Nahh.. Have it as a separate program.. Do you really want to work with dpkg
source? :-)  Have dpkg call it if you must..

On Fri, Jun 11, 1999 at 00:17:28PM -0500, Manoj Srivastava wrote:
>         Does not deal with compromised keys, or keys belonging to
>  people not part of the project anymore. You can reduce this by
>  providing ready access to to an uptodate debian keyring; but then
>  come the problem of manually signing that with a secure Project key.
>
>         Hmm. We need to ensure that the keyring I have downloaded is
>  actually uncompromised, and then use that to check all packages to be
>  installed ...

There's not much we can do for the average joe who installs Debian without
checking it's authenticity themselves.  Web-pages with high exposure and
up-to-the-minute security information, including keys and fingerprints, is a
must.

I thought each maintainer's keys were already signed by a Debian key.. I was
wrong.  Up-to-date keyring package sounds good.. signed itself of course.

-- 
------------------------------------
 Robert Thomson -- Just call me Sir  -=|   UNIX is user friendly.  |=-
  c9805651@alinga.newcastle.edu.au   -=| It's just selective about |=-
        I prefer GNU/Linux	     -=|    who its friends are.   |=-
------------------------------------