[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

>>"Goswin" == Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de> writes:

 Goswin> Manoj Srivastava <srivasta@debian.org> writes:
 >> Hi,
 >> >>"Rene" == Rene Mayrhofer <rmayr@vianova.at> writes:
 >> ...
 >> To compromise the security, one would have to not only have
 >> compromised the master key, one would have had to compromise the
 >> debian keyring package, which is also signed by the maintainer.

 Goswin> How would that make Deb files more secure (apart from the keyring
 Goswin> package itself?) or is the md5sum in the packages file secure enough?

        The assumption is that each package is signed by the
 maintainer (and, possibly, have the detached signature be a part of
 the .deb file itself, but, failing that, have the changes files
 preserverved until we can get dpkg hacked).

 "... And remember: if you don't like the news, go out and make some
 of your own." "Scoop" Nisker, KFOG radio reporter Preposterous Words
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to: