[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

* Marc Haber (mh+debian-devel@zugschlus.de) [031201 18:25]:
> On Mon, 01 Dec 2003 15:56:59 +0000, Scott James Remnant
> <scott@netsplit.com> wrote:
> >Download the source package components, verify their MD5 signatures
> >against the Sources file, verify the MD5 signature of the Sources file
> >against the Release file and verify that file's GPG signature.  This
> >proves that the package has successfully passed through the ftp-master
> >process and entered the archive.

> The GPG signature on the Release file is automatically generated with
> a key that was stored on one of the compromised boxes. That trust
> chain is thus broken at its very beginning, and unfortunately the
> stable release manager seems to ignore questions on IRC asking for a
> 3.0r2 Release file signed with his personal GPG key.

It is certainly a very good idea to sign the long living Release-files
(also|only) with an off-line key. It would IMHO even better if also
the debs are (better) signed than they are, because double protection
is always better than single protection.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: