[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>>>>> "Nicolás" == Nicolás Lichtmaier <nick@debian.org> writes:

    Nicolás>  You forget compromised packages that would be necessary
    Nicolás> to track and renew.  Imagine that the site has been
    Nicolás> compromised for a month, now you need to get all the
    Nicolás> people who downloaded packages, all the people who have
    Nicolás> burn CDs, redownload/validate their packages. The effort
    Nicolás> is the same, and it should be, becasue as I said at the
    Nicolás> begining of the thread.. adding a key only validates an
    Nicolás> existing "flow of trust", it doesn't change its shape.

(I have come in late on this discussion, so hope
I haven't misunderstood anything)

Would it help if you could download the signatures separately from the
package?

That way an existing CD could still be used, just down load the new
signatures (which would be much smaller then the packages themselves)
from your local debian mirror.
-- 
Brian May <bam@debian.org>
Reply to: