Re: Revival of the signed debs discussion
On Tue, Dec 02, 2003 at 03:58:53AM +0100, Goswin von Brederlow wrote:
> John Goerzen <email@example.com> writes:
> PS: Does debsigs just sign the control and data file or all files in
> the ar? What if we add some more files at some point (like a
It cats the control and data files together and signs the result.
Otherwise, an attacker could mix and match control and data files from
different .debs (as long as the files aren't modified) and still cause
BTW, there is a design doc in /usr/share/doc/debsigs that describes some
of these things.