[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Joey Hess <joeyh@debian.org> wrote:
> Goswin von Brederlow wrote:
>> > dpkg that it is downgrading the package, and a clever attacker might
>> > avoid even that.

>> How would you avoid it?

> Make the replacement package really be a different package entirely, of
> a higher version than the package it purports to replace.

> I think aj had some more examples along these lines the last time this
> came up.

I still don't understand how you change the version number (or the
package-name) without breaking the signature.
                   cu andreas

Reply to: