Re: Packages and signatures
>>>>> " " == Bernd Eckenfels <lists@lina.inka.de> writes:
> On Fri, Jan 19, 2001 at 10:07:56AM +0100, Goswin Brederlow
> wrote:
>> The point is that it would give no extra security atop of the
>> trust you can have in the autobuilders anyway.
> It will additional security since corruption on the way from
> master to the user (i.e. mirror or cd) will be detected.
Sign the Packages files, which contain the md5sum.
That could be done on a more secure server than the autobuilder.
And the autobuilder should upload packages via ssh to prevent
tampering on that side.
MfG
Goswin
Reply to: