On Mon, 2003-12-01 at 13:34, Goswin von Brederlow wrote: > We have no continous trust chain going from the maintainer (also > meaning buildd + admin), ftp-master.d.o, mirrors to the user. A > compromised dinstall on master could replace binary uploads with > trojan versions without any user being able to detect it. > A compromised dinstall on ftp-master could also replace the keyring package with a new one containing an extra key, used to sign the new package and any other package they felt like. Assuming that level of compromise, there's no recent to suspect that they couldn't have free reign adding anything to the archive they wanted. Signed .debs gain you nothing here. Anyway, I digress from this, I'm replying to point out that we have exactly the chain of trust you want: Download the source package components, verify their MD5 signatures against the Sources file, verify the MD5 signature of the Sources file against the Release file and verify that file's GPG signature. This proves that the package has successfully passed through the ftp-master process and entered the archive. To verify this was uploaded by a Debian developer, go to http://lists.debian.org/debian-devel-changes/ and find the Accepted message, verify that message's GPG signature and verify the MD5 signatures of the files in that against the real files (this contains uploaded .deb signatures too). Scott -- Have you ever, ever felt like this? Had strange things happen? Are you going round the twist?
Description: This is a digitally signed message part