Re: kernel.org compromised
* Joerg Jaspert (joerg@debian.org) [110903 12:44]:
>
> > Yeah, yeah. We've beaten that horse to death, and our side lost. I also
> > advocate that all debs should be signed, but that was not the will of the
> > ftp-masters the last time the issue was up for discussion.
>
> Thats wrong.
> Since 03 Aug 2008 at least.
>
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340306#33
This means that dpkg-sig needs to be completly re-written, even though
it was working quite well (before it was blocked by ftp-masters). Not
exactly what I would consider helpful, but well.
Anyways, I don't think discussing this topic more will gain us
anything. (And also the question of signing .deb-packages is completly
orthogonal from authentication of the downloaded packages files which
works, and which is necessary for protection from taken over hosts
like kernel.org this time).
Andi
Reply to: