[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

* Matt Zimmerman (mdz@debian.org) [031204 22:25]:
> On Thu, Dec 04, 2003 at 03:58:38PM -0500, Daniel Jacobowitz wrote:
> > On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote:
> > > What kind of real world attacks do signed debs prevent?
> > > 
> > > The only one which comes to mind is a rogue Debian developer that you do
> > > not wish to trust, even though the project trusts him.

> > Someone pretending to be someone Manoj trusts, offering him a corrupted
> > .deb offline?
> s/offline/without the corresponding signed metadata/
> The advantage would certainly appear to be one of convenience (keeping
> everything in one file), rather than security (preventing attacks).

If it is more convenient, than security actions are far more often

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: