Re: Revival of the signed debs discussion
On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote:
> On Thu, Dec 04, 2003 at 12:28:41PM -0600, Manoj Srivastava wrote:
>
> > On Thu, 4 Dec 2003 11:47:50 -0500, Matt Zimmerman <mdz@debian.org> said:
> >
> > > What kind of real world attacks do signed debs prevent? Not a
> > > compromised buildd, or a compromised maintainer's workstation.
> >
> > It would allow me to copy .debs around with other people, or
> > use .debs not made available through the usual chain of security; as
> > long as the author hapens to be in my web of trust.
>
> What kind of real world attacks do signed debs prevent?
>
> The only one which comes to mind is a rogue Debian developer that you do not
> wish to trust, even though the project trusts him.
Someone pretending to be someone Manoj trusts, offering him a corrupted
.deb offline?
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
Reply to: