Re: Revival of the signed debs discussion
Matt Zimmerman <firstname.lastname@example.org> writes:
> On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote:
> > But this kind of tampering _can_ be checked by apt before installing
> > the deb simply by adding a signature verifyer into the
> > DPkg::Pre-Install-Pkgs config option, the same mechanism
> > apt-listchanges already uses to display only the new section of the
> > changelog.
> Indeed, apt can do a lot better, and is very close to doing so. See #203741.
The assumption was that the archive was compromised but the
Release.gpg file changed and resigned. #203741 is about checking the
Release.gpg chain of trust or is there more hidden in all the mails.
Did the BTS reoder the mails, there don't seem to follow a locigal
discussion. Haven't bothered to check the timestamps though.