Re: [RFH] The need for signed packages and signed Releases (long, long)

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-devel@lists.debian.org
Subject: Re: [RFH] The need for signed packages and signed Releases (long, long)
From: tb@becket.net (Thomas Bushnell, BSG)
Date: 15 Nov 2002 15:09:13 -0800
Message-id: <[🔎] 87lm3uqvl2.fsf@becket.becket.net>
In-reply-to: <[🔎] 87heeixx1r.fsf@deneb.enyo.de>
References: <[🔎] 20021112143711.GA6850@dat.etsit.upm.es> <[🔎] 20021112164411.GB7412@azure.humbug.org.au> <[🔎] 87smy6v7of.fsf@glaurung.green-gryphon.com> <[🔎] 20021113051122.GD26235@azure.humbug.org.au> <[🔎] 20021113084711.A18292@doc.ic.ac.uk> <[🔎] 87heeixx1r.fsf@deneb.enyo.de>

Florian Weimer <fw@deneb.enyo.de> writes:

> Andrew Suffield <asuffield@debian.org> writes:
> 
> > To be decently secure, you need the target system to refuse to accept
> > packages that don't have an acceptable trust path.
> 
> Have you actually tried to determine whom and which machines you have
> to trust implicitly when trusting a particular Debian package?  I
> guess this gets really messy pretty soon.

I trust auric.  But I don't trust that the DNS servers will give me
the correct IP address for it.  Hrm. 

Fortunately, there is a partial solution: signatures and signature
checking on packages.  And golly gee, it looks like that one is going
to happen, for which I'm quite grateful.

Reply to:

Follow-Ups:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- [RFH] The need for signed packages and signed Releases (long, long)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Andrew Suffield <asuffield@debian.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Discussion - non-free software removal
Next by Date: Re: Free v's Open Source software
Previous by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Next by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Index(es):
- Date
- Thread