Re: PATCH: package verification in dpkg

To: Wichert Akkerman <wichert@cistron.nl>
Cc: John Goerzen <jgoerzen@progenylinux.com>, debian-dpkg@lists.debian.org
Subject: Re: PATCH: package verification in dpkg
From: Jason Gunthorpe <jgg@debian.org>
Date: Fri, 9 Mar 2001 17:24:02 -0700 (MST)
Message-id: <[🔎] Pine.LNX.3.96.1010309171558.6640E-100000@wakko.deltatee.com>
In-reply-to: <[🔎] 20010310011503.A20649@cistron.nl>

On Sat, 10 Mar 2001, Wichert Akkerman wrote:

> > Could it at least have an option to turn it off? APT users using the new
> > secured release files are not going to want to burn the cycles to do this.
> 
> That is an entirely different form of security check, and not as powerful
> as this one.. the two are somewhat orthogonal.

I can think of no security benifit that normal users will derive from
checking deb signatures when the signed release file is already being
used.

'Power' users with a link to the trust network, and who are willing to
wire in package->key mappings will derive a benifit, and those people can
certainly turn it on.

I just don't see why we need to make things even slower and less likely to
work by forcing this option to default on for APT installs. The last thing
I need is bug reports from people with out of date key rings complaining
that their package installs don't work anymore.

Jason

Reply to:

Follow-Ups:
- Re: PATCH: package verification in dpkg
  - From: Ben Collins <bcollins@debian.org>

References:
- Re: PATCH: package verification in dpkg
  - From: Wichert Akkerman <wichert@cistron.nl>

Prev by Date: Re: PATCH: package verification in dpkg
Next by Date: Re: PATCH: package verification in dpkg
Previous by thread: Re: PATCH: package verification in dpkg
Next by thread: Re: PATCH: package verification in dpkg
Index(es):
- Date
- Thread