Re: Revival of the signed debs discussion
Joey Hess <email@example.com> wrote:
> Goswin von Brederlow wrote:
>> > dpkg that it is downgrading the package, and a clever attacker might
>> > avoid even that.
>> How would you avoid it?
> Make the replacement package really be a different package entirely, of
> a higher version than the package it purports to replace.
> I think aj had some more examples along these lines the last time this
> came up.
I still don't understand how you change the version number (or the
package-name) without breaking the signature.