Re: dpkg-sig support wanted?
Thomas Bushnell BSG <firstname.lastname@example.org> writes:
> Goswin von Brederlow <email@example.com> writes:
>> The archive signing key gives absolutely no integrity ensurance on the
>> deb package. The only thing it insures is that the file was not
>> altered _after_ leaving ftp.de.debian.org for the mirrors and/or
>> user. In no way does it prevent altering the deb on ftp-master.
> Isn't that a useful assurance? Perhaps I trust the maintenance of
> ftp-master, but not the maintenance of Joe Random Mirror.
It sure is usefull as it removes a lot of untrusted steps from being a
vulnerability. But that doesn't help if the attack happens at