Re: Revival of the signed debs discussion
* Joey Hess (firstname.lastname@example.org) [031202 02:55]:
> Goswin von Brederlow wrote:
> > What can we do with deb signatures?
> > For our current problem, the integrity of the debian archive being
> > questioned, the procedure would be easy and available to every user:
> > 1. get any clean Debian keyring (or just the key signing the keyring)
> > 2. verify the latest Debian keyring
> > 3. verify that each deb was signed by a DD and the signature fits
> The canoical attack against signed debs in this situation is to find a
> signed deb on snapshot.debian.net that contains a known security hole.
To avoid this attack, it is necessary that the filename of the deb or
the version of the package is also signed.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C