Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 03 Dec 2003 06:43:18 +0100
Message-id: <[🔎] 87ptf6focp.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20031203023731.GA582@dijkstra.csh.rit.edu>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 20031201235436.GC2936@kitenet.net> <[🔎] 87ad6bkfev.fsf@mrvn.homelinux.org> <[🔎] 20031202144535.GA18163@kitenet.net> <[🔎] E1ARDy4-0000m0-LO@mid.downhill.at.eu.org> <[🔎] 20031202194241.GC22593@kitenet.net> <[🔎] 87fzg2hcx6.fsf@mrvn.homelinux.org> <[🔎] 20031203023731.GA582@dijkstra.csh.rit.edu>

Matt Zimmerman <mdz@debian.org> writes:

> On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote:
> 
> > But this kind of tampering _can_ be checked by apt before installing
> > the deb simply by adding a signature verifyer into the
> > DPkg::Pre-Install-Pkgs config option, the same mechanism
> > apt-listchanges already uses to display only the new section of the
> > changelog.
> 
> Indeed, apt can do a lot better, and is very close to doing so. See #203741.

The assumption was that the archive was compromised but the
Release.gpg file changed and resigned. #203741 is about checking the
Release.gpg chain of trust or is there more hidden in all the mails.

Did the BTS reoder the mails, there don't seem to follow a locigal
discussion. Haven't bothered to check the timestamps though.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: OT: Smartcards and Physical Security [Was: Re: Backport of the integer overflow in the brk system call]
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread