[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Fri, Mar 09, 2001 at 10:36:21PM -0500, Ben Collins wrote:
> > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > 'all packages are signed by one of these 800 keys' :P
> That's why the package should also get signed by the same dinstall key
> that signs the release sig :P

Oh, btw, for people using dselect, apt and apt frontends, signing just
the .debs isn't enough. Consider somewhen leaving all the .debs exactly
as is, and hax0ring the Packages.gz file to make dpkg appear to conflict
with some security fixes, or to depend on some buggy package, or changing
the md5sums on some packages so apt'll refuse to install them, or similar.

This applies whether you have a `progeny' signature on each .deb or not,
too, note.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

``_Any_ increase in interface difficulty, in exchange for a benefit you
  do not understand, cannot perceive, or don't care about, is too much.''
                      -- John S. Novak, III (The Humblest Man on the Net)

Attachment: pgpHYi1o379rV.pgp
Description: PGP signature

Reply to: