[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

Robert Bihlmeyer <robbe@orcus.priv.at> wrote:
> That's just the point: the security of a singly-signed Packages.gz
> would not be much higher than that of the ftp sites themselves.
> Nothing to win, here.

Actually I'm not concerned right now with the security of the main
debian ftp site.  While that's important, I assume that has already
been handled.

I just want to make sure that the packages I download come from Debian
and not some man-in-the-middle.  I can do that now on a maintainer level
by using the source.  But I cannot check that the binary I got really
came from Debian people.

And if Packages is signed, I would expect whoever or whatever signs it
to also check that the packages listed inside that file actually came
from a Debian maintainer.  As far as I understand it, this is possible
since the package upload (binary) is also signed by the maintainer.

It seems like the only path that does not have at least some cryptographic
safety is the path from Debian to the poor user. :-)

And I hope Potato's Packages file can be signed so I don't have to wait
for Woody.  Even if I have to manually download the Packages file, check
the signature, then update my system - even that will save me *hours* of

- Chris

Reply to: