[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Tue, Dec 02, 2003 at 03:58:53AM +0100, Goswin von Brederlow wrote:
> John Goerzen <jgoerzen@complete.org> writes:
> PS: Does debsigs just sign the control and data file or all files in
> the ar? What if we add some more files at some point (like a
> _buildinfo)?

It cats the control and data files together and signs the result.
Otherwise, an attacker could mix and match control and data files from
different .debs (as long as the files aren't modified) and still cause

BTW, there is a design doc in /usr/share/doc/debsigs that describes some
of these things.

-- John

Reply to: