Re: Packages and signatures

To: debian-devel@lists.debian.org
Subject: Re: Packages and signatures
From: Matt Zimmerman <mdz@debian.org>
Date: Sat, 27 Jan 2001 17:13:52 -0500
Message-id: <[🔎] 20010127171349.M19317@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010127151936.A22490@taral.dhs.org>; from taral@taral.net on Sat, Jan 27, 2001 at 03:19:36PM -0600
References: <[🔎] 20010127024151.K19317@alcor.net> <[🔎] 20010127151936.A22490@taral.dhs.org>

On Sat, Jan 27, 2001 at 03:19:36PM -0600, JP Sugarbroad wrote:

> On Sat, Jan 27, 2001 at 02:41:54AM -0500, Matt Zimmerman wrote:
> > Also, once the key is revoked, older packages (e.g., from previous releases)
> > signed by that key can no longer be verified.
> 
> They can be verified... you just get a warning about their being signed
> with a revoked key.

What I meant was that they can no longer be _trusted_, as the key has been
compromised.

The Debian archive should be as secure as the current state of the systems
running it.  All packages everywhere would be at the mercy of a key compromise
that had occurred at any point in time.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Packages and signatures
  - From: Nicolás Lichtmaier <nick@debian.org>

References:
- Re: Packages and signatures
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Packages and signatures
  - From: JP Sugarbroad <taral@taral.net>

Prev by Date: Re: swap not enabled if raid devices not in sync when booting
Next by Date: Re: swap not enabled if raid devices not in sync when booting
Previous by thread: Re: Packages and signatures
Next by thread: Re: Packages and signatures
Index(es):
- Date
- Thread