Re: Debian (would like) to do list
On Fri, 26 Jul 2002 16:07:41 -0500 (CDT),
Drew Scott Daniels <umdanie8@cc.UManitoba.CA> wrote:
> Packages being signed by multiple people and allowing users to assign
> trust levels (checked before installing an upgrade) to people could
> improve security.
I wonder how this can be achieved. The signature should be a detached
signature to .deb (or tarballs in it). How do you audit .deb? Yes,
I can unpack it with dpkg (or ar and tar), but what if it contains some
ELF executable? At least I don't know assembly language, and don't say
Debian supports 11 architectures so there is 11 kinds of assembly language.
Note that rebuilding the package does not necessarily produce .deb with
the same md5sum unless it has very strict build-dependency.
--
Oohara Yuuma <oohara@libra.interq.or.jp>
Debian developer
PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt
Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695
her occasionally near suicidal sense of loyal self-sacrifice
--- Luke Seubert, about what Rei Ayanami and Debian developers have in common
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: