Signature on packages?
Hello !
I am right now upgrading my debian potato from the mirror ftp.it.debian.org and at
the same time i am reading about all that troian viruses to be "used" with win95.
Now, i am trusting the security of my system (nothing so important, right now,
but ...) in the hand of the system administrator of the debian mirror.
This is somewhat suboptimal. I propose that in every package .deb there should be
attached a GPG or PGP signature by the developer or the relase manager and
that signature is to be verified by dpkg and of course dselect, apt ,...
I propose even an easy way to verify that a pubblic key is really from debian:
somebody put up an answering machine at a certain telephone number that say
in a clean and understandable voice: "the fingerprint of the key of the debian
potato distribution is ....". Now the cracker has to work a little more before
you load his troian. If that number is a pay phone (like phorno numbers) the
debian organization could even gain a little of money: i would surely pay
2 or 3 euro to improve the security of my system if i knew that that money go
to a good cause.
I am sorry if this is offtopic.
Ciao, Marco.
PS. I am not subscribed. Please put a cc to me.
--
This is not a Sig. (With homage to Magritte).
Reply to: