[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bulk signing

On Fri, Dec 21, 2001 at 12:56:34AM +0000, toad wrote:
> Can we simply have the master archive sign the Packages file to produce a 
> detached Packages.sign? Different archives e.g. translations could have other
> public keys; this is a quick and dirty way to prevent spoofing attacks on the
> mirror network - preventing spoofing attacks on individual packages is
> obviously up to things like debsigs. Most people don't install debsig-verify,
> which does not appear to be called by dpkg anyway (this can be fixed by making
> it part of Standard in 3.0), bulk signing has been discussed here recently,
> and the Packages file is a single file containing MD5's of each of the
> packages, which *are* checked by dpkg. However, it appears that most packages
> (all packages?) in sid are not signed anyway, so it would be a great
> improvement on nothing.
Errm, whoops. Release is signed, it includes MD5's of the Packages files.
I wonder if it's ever verified at the client level...
> -- 
> The road to Tycho is paved with good intentions

The road to Tycho is paved with good intentions

Reply to: