[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

Thomas Bushnell BSG <tb@becket.net> writes:

> Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> writes:
>> The archive signing key gives absolutely no integrity ensurance on the
>> deb package. The only thing it insures is that the file was not
>> altered _after_ leaving ftp.de.debian.org for the mirrors and/or
>> user. In no way does it prevent altering the deb on ftp-master.
> Isn't that a useful assurance?  Perhaps I trust the maintenance of
> ftp-master, but not the maintenance of Joe Random Mirror.

It sure is usefull as it removes a lot of untrusted steps from being a
vulnerability. But that doesn't help if the attack happens at


Reply to: