Re: Official Debian digital 'branding' of debs
Hi,
>>"Goswin" == Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de> writes:
Goswin> Manoj Srivastava <srivasta@debian.org> writes:
>> Hi,
>> >>"Rene" == Rene Mayrhofer <rmayr@vianova.at> writes:
>> ...
>> To compromise the security, one would have to not only have
>> compromised the master key, one would have had to compromise the
>> debian keyring package, which is also signed by the maintainer.
Goswin> How would that make Deb files more secure (apart from the keyring
Goswin> package itself?) or is the md5sum in the packages file secure enough?
The assumption is that each package is signed by the
maintainer (and, possibly, have the detached signature be a part of
the .deb file itself, but, failing that, have the changes files
preserverved until we can get dpkg hacked).
manoj
--
"... And remember: if you don't like the news, go out and make some
of your own." "Scoop" Nisker, KFOG radio reporter Preposterous Words
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: