[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Fri, Mar 09, 2001 at 05:24:02PM -0700, Jason Gunthorpe wrote:
> On Sat, 10 Mar 2001, Wichert Akkerman wrote:
> > > Could it at least have an option to turn it off? APT users using the new
> > > secured release files are not going to want to burn the cycles to do this.
> > 
> > That is an entirely different form of security check, and not as powerful
> > as this one.. the two are somewhat orthogonal.
> I can think of no security benifit that normal users will derive from
> checking deb signatures when the signed release file is already being
> used.

Then make apt pass --force-noverify (or whatever it is). However, when
doing .deb install on the command line without apt (*gasp* not using
apt) there is no security. Also, just because APT checks the sig of the
Release file, does not mean that it is unwanted to check the deb
signatures too. The two compliment each other, IMO.

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: