Re: Package management unsafe?
On Sun, 2008-07-13 at 16:19 +0930, Karl Goetz wrote:
> On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote:
> > Hello,
> > On Sat, 2008-07-12 at 23:13 +0000, Joe Smith wrote:
> > > Andrei Popescu <andreimpopescu <at> gmail.com> writes:
> > >
> > One costly solution would be to get the client the send a challenge to a
> > trusted server, which would respond by gpg-signed the challenge + the
> > checksum of current .Release file.
> How would all these schemes work with offline mirrors? eg, ones that are
> built, and used without an internet connection for a month.
You would be warned that your security update server can't be
contacted/validated, which is accurate.
BTW, of course, the GPG wouldn't have to be Debian key, but any trusted
key for that purpose (e.g including corporate, Debian derivative key).