Re: Revival of the signed debs discussion
On Mon, 01 Dec 2003 15:56:59 +0000, Scott James Remnant
>Download the source package components, verify their MD5 signatures
>against the Sources file, verify the MD5 signature of the Sources file
>against the Release file and verify that file's GPG signature. This
>proves that the package has successfully passed through the ftp-master
>process and entered the archive.
The GPG signature on the Release file is automatically generated with
a key that was stored on one of the compromised boxes. That trust
chain is thus broken at its very beginning, and unfortunately the
stable release manager seems to ignore questions on IRC asking for a
3.0r2 Release file signed with his personal GPG key.
>To verify this was uploaded by a Debian developer, go to
>http://lists.debian.org/debian-devel-changes/ and find the Accepted
>message, verify that message's GPG signature and verify the MD5
>signatures of the files in that against the real files (this contains
>uploaded .deb signatures too).
Unfortunately, changes files generated by buildds and sent to
debian-devel-$ARCH-changes are not archived, so this trust chain only
works for the architecture the original maintainer built on.
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29