Re: Revival of the signed debs discussion
* John Goerzen (firstname.lastname@example.org) [031201 17:40]:
> Even if the attacker could place a new keyring file in the archive,
> people verifying signatures on signed .debs would not install it, since
> it would not have the signature of a developer.
And to be honest: If all debs are signed, and it is easy possible, I
would restrict accepted signatures at my private machine for the
keyring package to James - and let me send a mail if there is a
keyring package signed by any other DD. So, the real danger would be
if James key is stolen.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C