Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Tue, 02 Dec 2003 18:05:44 +0100
Message-id: <[🔎] E1ARDy4-0000m0-LO@mid.downhill.at.eu.org>
Mail-followup-to: <debian-devel@lists.debian.org>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 20031201235436.GC2936@kitenet.net> <[🔎] 87ad6bkfev.fsf@mrvn.homelinux.org> <[🔎] 20031202144535.GA18163@kitenet.net>

Joey Hess <joeyh@debian.org> wrote:
> Goswin von Brederlow wrote:
>> > dpkg that it is downgrading the package, and a clever attacker might
>> > avoid even that.

>> How would you avoid it?

> Make the replacement package really be a different package entirely, of
> a higher version than the package it purports to replace.

> I think aj had some more examples along these lines the last time this
> came up.

I still don't understand how you change the version number (or the
package-name) without breaking the signature.
                   cu andreas

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Bits from the RM
Next by Date: Re: Revival of the signed debs discussion
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread