[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian (would like) to do list

On Fri, 26 Jul 2002 16:07:41 -0500 (CDT),
Drew Scott Daniels <umdanie8@cc.UManitoba.CA> wrote:
> Packages being signed by multiple people and allowing users to assign
> trust levels (checked before installing an upgrade) to people could
> improve security.
I wonder how this can be achieved.  The signature should be a detached
signature to .deb (or tarballs in it).  How do you audit .deb?  Yes,
I can unpack it with dpkg (or ar and tar), but what if it contains some
ELF executable?  At least I don't know assembly language, and don't say
Debian supports 11 architectures so there is 11 kinds of assembly language.
Note that rebuilding the package does not necessarily produce .deb with
the same md5sum unless it has very strict build-dependency.

Oohara Yuuma <oohara@libra.interq.or.jp>
Debian developer
PGP key (key ID F464A695) http://www.interq.or.jp/libra/oohara/pub-key.txt
Key fingerprint = 6142 8D07 9C5B 159B C170  1F4A 40D6 F42E F464 A695

her occasionally near suicidal sense of loyal self-sacrifice
--- Luke Seubert, about what Rei Ayanami and Debian developers have in common

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: