Re: Signing Packages.gz
On Sun, Apr 02, 2000 at 01:36:56PM +1000, Anthony Towns wrote:
> On Sat, Apr 01, 2000 at 03:38:29PM +0200, Marcus Brinkmann wrote:
> > I could not trust either. The former, because it is stored on a network
> > connected machine, the latter because it is transfered over the net (if it
> > is shared among the security team). Of course, if the security team use
> > their personal key in the latter case, I can trust it.
>
> Are you really sure that no developer stores their key on a net connected
> machine?
No, but if I find out, I can investigate the installed packages or delete
his key from my personal copy of the debian-keyring (and could configure the
not-existing dpkg-verify software to use this smaller keyring), if I really
cared.
Do you see the difference? I can make an informed decision, while in the
signed packages file case, I can not verfiy the origin of any of the packages
I don't have the changes file for.
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, marcus@gnu.org PGP Key ID 36E7CD09
http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ brinkmd@debian.org
Reply to: