[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Sat, 10 Mar 2001, Wichert Akkerman wrote:

> > Could it at least have an option to turn it off? APT users using the new
> > secured release files are not going to want to burn the cycles to do this.
> That is an entirely different form of security check, and not as powerful
> as this one.. the two are somewhat orthogonal.

I can think of no security benifit that normal users will derive from
checking deb signatures when the signed release file is already being

'Power' users with a link to the trust network, and who are willing to
wire in package->key mappings will derive a benifit, and those people can
certainly turn it on.

I just don't see why we need to make things even slower and less likely to
work by forcing this option to default on for APT installs. The last thing
I need is bug reports from people with out of date key rings complaining
that their package installs don't work anymore.


Reply to: