[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure apt-get

On Thu, Jan 18, 2001 at 10:53:16PM +0100, Goswin Brederlow wrote:

> The problem with signing packages is that you can't trust a computer
> to do it for obvious reasons (like building/installation of packages
> being done as root).

That is one problem, but the big problems (I think) are personal trust and key

1. How do you know that the signer's key belongs to a given individual?

2. How do you establish that you trust that individual to create a safe

(2.) can perhaps be addressed by having auditors sign off on packages, giving
users the option of trusting a number of auditors.  (1.) is the bane of all
cryptography, and is much more difficult to solve.

 - mdz

Reply to: