Re: Bulk signing

To: debian-devel@lists.debian.org
Subject: Re: Bulk signing
From: toad <matthew@toseland.f9.co.uk>
Date: Fri, 21 Dec 2001 01:04:41 +0000
Message-id: <[🔎] 20011221010441.GA30622@amphibian.dyndns.org>
In-reply-to: <[🔎] 20011221005634.GA5281@amphibian.dyndns.org>
References: <[🔎] 20011221005634.GA5281@amphibian.dyndns.org>

On Fri, Dec 21, 2001 at 12:56:34AM +0000, toad wrote:
> Can we simply have the master archive sign the Packages file to produce a 
> detached Packages.sign? Different archives e.g. translations could have other
> public keys; this is a quick and dirty way to prevent spoofing attacks on the
> mirror network - preventing spoofing attacks on individual packages is
> obviously up to things like debsigs. Most people don't install debsig-verify,
> which does not appear to be called by dpkg anyway (this can be fixed by making
> it part of Standard in 3.0), bulk signing has been discussed here recently,
> and the Packages file is a single file containing MD5's of each of the
> packages, which *are* checked by dpkg. However, it appears that most packages
> (all packages?) in sid are not signed anyway, so it would be a great
> improvement on nothing.
Errm, whoops. Release is signed, it includes MD5's of the Packages files.
I wonder if it's ever verified at the client level...
> -- 
> The road to Tycho is paved with good intentions

-- 
The road to Tycho is paved with good intentions

Reply to:

Follow-Ups:
- Re: Bulk signing
  - From: Anthony Towns <aj@azure.humbug.org.au>

References:
- Bulk signing
  - From: toad <matthew@toseland.f9.co.uk>

Prev by Date: Bulk signing
Next by Date: Bug#126039: ITP: bash-completion -- bash programmable completion
Previous by thread: Bulk signing
Next by thread: Re: Bulk signing
Index(es):
- Date
- Thread