Re: Revival of the signed debs discussion

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Revival of the signed debs discussion
From: Andreas Barth <aba@not.so.argh.org>
Date: Mon, 1 Dec 2003 21:00:10 +0100
Message-id: <[🔎] 20031201200010.GB17282@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, Debian Developers <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20031201162639.GA22407@complete.org>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070294218.31956.26.camel@elite> <[🔎] 20031201162639.GA22407@complete.org>

* John Goerzen (jgoerzen@complete.org) [031201 17:40]:
> Even if the attacker could place a new keyring file in the archive,
> people verifying signatures on signed .debs would not install it, since
> it would not have the signature of a developer.

And to be honest: If all debs are signed, and it is easy possible, I
would restrict accepted signatures at my private machine for the
keyring package to James - and let me send a mail if there is a
keyring package signed by any other DD. So, the real danger would be
if James key is stolen.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Zenaan Harkness <zen@iptaustralia.net>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Scott James Remnant <scott@netsplit.com>
- Re: Revival of the signed debs discussion
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: (no subject)
Next by Date: Re: Debian Enterprise - a Custom Debian Distribution
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread