[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>>>>> " " == Bernd Eckenfels <lists@lina.inka.de> writes:

     > On Fri, Jan 19, 2001 at 10:07:56AM +0100, Goswin Brederlow
     > wrote:
    >> The point is that it would give no extra security atop of the
    >> trust you can have in the autobuilders anyway.

     > It will additional security since corruption on the way from
     > master to the user (i.e. mirror or cd) will be detected.

Sign the Packages files, which contain the md5sum.
That could be done on a more secure server than the autobuilder.

And the autobuilder should upload packages via ssh to prevent
tampering on that side.


Reply to: