Bulk signing

To: debian-devel@lists.debian.org
Subject: Bulk signing
From: toad <matthew@toseland.f9.co.uk>
Date: Fri, 21 Dec 2001 00:56:34 +0000
Message-id: <[🔎] 20011221005634.GA5281@amphibian.dyndns.org>

Can we simply have the master archive sign the Packages file to produce a 
detached Packages.sign? Different archives e.g. translations could have other
public keys; this is a quick and dirty way to prevent spoofing attacks on the
mirror network - preventing spoofing attacks on individual packages is
obviously up to things like debsigs. Most people don't install debsig-verify,
which does not appear to be called by dpkg anyway (this can be fixed by making
it part of Standard in 3.0), bulk signing has been discussed here recently,
and the Packages file is a single file containing MD5's of each of the
packages, which *are* checked by dpkg. However, it appears that most packages
(all packages?) in sid are not signed anyway, so it would be a great
improvement on nothing.
-- 
The road to Tycho is paved with good intentions

Reply to:

Follow-Ups:
- Re: Bulk signing
  - From: toad <matthew@toseland.f9.co.uk>

Prev by Date: Re: vICQ package
Next by Date: Re: Bulk signing
Previous by thread: Re: centericq
Next by thread: Re: Bulk signing
Index(es):
- Date
- Thread