Re: Signing Packages.gz

[Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>]

On Sun, Apr 02, 2000 at 01:36:56PM +1000, Anthony Towns wrote:
> On Sat, Apr 01, 2000 at 03:38:29PM +0200, Marcus Brinkmann wrote:
> > I could not trust either. The former, because it is stored on a network
> > connected machine, the latter because it is transfered over the net (if it
> > is shared among the security team). Of course, if the security team use
> > their personal key in the latter case, I can trust it.
> 
> Are you really sure that no developer stores their key on a net connected
> machine?

No, but if I find out, I can investigate the installed packages or delete
his key from my personal copy of the debian-keyring (and could configure the
not-existing dpkg-verify software to use this smaller keyring), if I really
cared.

Do you see the difference? I can make an informed decision, while in the
signed packages file case, I can not verfiy the origin of any of the packages
I don't have the changes file for.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server 
Marcus Brinkmann              GNU    http://www.gnu.org    for public PGP Key 
Marcus.Brinkmann@ruhr-uni-bochum.de,     marcus@gnu.org    PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/       brinkmd@debian.org