Re: Packages and signatures

[Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>]

>>>>> " " == Bernd Eckenfels <lists@lina.inka.de> writes:

     > On Fri, Jan 19, 2001 at 10:07:56AM +0100, Goswin Brederlow
     > wrote:
    >> The point is that it would give no extra security atop of the
    >> trust you can have in the autobuilders anyway.

     > It will additional security since corruption on the way from
     > master to the user (i.e. mirror or cd) will be detected.

Sign the Packages files, which contain the md5sum.
That could be done on a more secure server than the autobuilder.

And the autobuilder should upload packages via ssh to prevent
tampering on that side.

MfG
        Goswin