Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Joey Hess <joeyh@debian.org>
Date: Tue, 2 Dec 2003 14:42:41 -0500
Message-id: <[🔎] 20031202194241.GC22593@kitenet.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] E1ARDy4-0000m0-LO@mid.downhill.at.eu.org>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 20031201235436.GC2936@kitenet.net> <[🔎] 87ad6bkfev.fsf@mrvn.homelinux.org> <[🔎] 20031202144535.GA18163@kitenet.net> <[🔎] E1ARDy4-0000m0-LO@mid.downhill.at.eu.org>

Andreas Metzler wrote:
> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.

Which signature? The Packages file is being modified, so of course the
hain of trust back to the Release file signature can be used to catch
tampering with it. However, the signature in a deb itself cannot help
against this kind of attack.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>

Prev by Date: Re: Backport of the integer overflow in the brk system call
Next by Date: Re: Bits from the RM
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread