Re: Packages and signatures
>>>>> "Nicolás" == Nicolás Lichtmaier <nick@debian.org> writes:
Nicolás> You forget compromised packages that would be necessary
Nicolás> to track and renew. Imagine that the site has been
Nicolás> compromised for a month, now you need to get all the
Nicolás> people who downloaded packages, all the people who have
Nicolás> burn CDs, redownload/validate their packages. The effort
Nicolás> is the same, and it should be, becasue as I said at the
Nicolás> begining of the thread.. adding a key only validates an
Nicolás> existing "flow of trust", it doesn't change its shape.
(I have come in late on this discussion, so hope
I haven't misunderstood anything)
Would it help if you could download the signatures separately from the
package?
That way an existing CD could still be used, just down load the new
signatures (which would be much smaller then the packages themselves)
from your local debian mirror.
--
Brian May <bam@debian.org>
Reply to: