Re: Revival of the signed debs discussion
* Scott James Remnant (firstname.lastname@example.org) [031201 18:40]:
> On Mon, 2003-12-01 at 16:26, John Goerzen wrote:
> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a developer.
> What defines "the signature of a developer"? That their key is in the
> keyring, so if a hax0r decided to comprise our keyring and add a key to
> it, there'd be no way to tell that it wasn't a developer's key.
For dpkg on my computer: That the signature is in _my_ _currently_
installed keyring package.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C