Re: PATCH: package verification in dpkg
On Fri, 9 Mar 2001, Ben Collins wrote:
> > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > 'all packages are signed by one of these 800 keys' :P
> That's why the package should also get signed by the same dinstall key
> that signs the release sig :P
Debian can't do that because of our mirror network.
> Of course, which is why I said that the two compliment each other.
If you really think that then let debsigs handle the things it is good at
and focus on that. I don't think the current dpkg patch has that kind of
> You keep arguing as if anyone thinks that the .deb sig is trying to do
> things that the release sig was meant to do. That is not the case. Stop
You accused me of never defining "obsolete attacks". The above is the
example I have given several times.
> arguing against weak points of signing deb's compared to strong points
> of having a release sig. The two work together. Where one fails the
I did not make a value judgement, I answered your question :P
> other picks up. It's not a competition Jason, it's a cooperative effort
> here. No one is trying to step on any toes.
I have consistently maintained the viewpoint that deb signatures allow
fine grained, highly paranoid security checking when used by a skilled
user. What I dispute is that they can be automated for use by Debian and
realize anything but a minor security increase. To me this dpkg patch in
its current form is exactly that sort of automation and I think it gives a
bad impression to our users.