Re: Revival of the signed debs discussion
* Marc Haber (firstname.lastname@example.org) [031201 18:25]:
> On Mon, 01 Dec 2003 15:56:59 +0000, Scott James Remnant
> <email@example.com> wrote:
> >Download the source package components, verify their MD5 signatures
> >against the Sources file, verify the MD5 signature of the Sources file
> >against the Release file and verify that file's GPG signature. This
> >proves that the package has successfully passed through the ftp-master
> >process and entered the archive.
> The GPG signature on the Release file is automatically generated with
> a key that was stored on one of the compromised boxes. That trust
> chain is thus broken at its very beginning, and unfortunately the
> stable release manager seems to ignore questions on IRC asking for a
> 3.0r2 Release file signed with his personal GPG key.
It is certainly a very good idea to sign the long living Release-files
(also|only) with an off-line key. It would IMHO even better if also
the debs are (better) signed than they are, because double protection
is always better than single protection.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C