[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

* John Goerzen (jgoerzen@complete.org) [031201 17:40]:
> Even if the attacker could place a new keyring file in the archive,
> people verifying signatures on signed .debs would not install it, since
> it would not have the signature of a developer.

And to be honest: If all debs are signed, and it is easy possible, I
would restrict accepted signatures at my private machine for the
keyring package to James - and let me send a mail if there is a
keyring package signed by any other DD. So, the real danger would be
if James key is stolen.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: