Re: Revival of the signed debs discussion

[Andreas Barth <aba@not.so.argh.org>]

* Scott James Remnant (scott@netsplit.com) [031201 18:40]:
> On Mon, 2003-12-01 at 16:26, John Goerzen wrote:
> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a developer.

> What defines "the signature of a developer"?  That their key is in the
> keyring, so if a hax0r decided to comprise our keyring and add a key to
> it, there'd be no way to tell that it wasn't a developer's key.

For dpkg on my computer: That the signature is in _my_ _currently_
installed keyring package.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C