[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PATCH: package verification in dpkg

On Mon, Mar 12, 2001 at 12:10:48PM +1000, Anthony Towns wrote:
> On Fri, Mar 09, 2001 at 10:36:21PM -0500, Ben Collins wrote:
> > > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > > 'all packages are signed by one of these 800 keys' :P
> > That's why the package should also get signed by the same dinstall key
> > that signs the release sig :P
> Oh, btw, for people using dselect, apt and apt frontends, signing just
> the .debs isn't enough. Consider somewhen leaving all the .debs exactly
> as is, and hax0ring the Packages.gz file to make dpkg appear to conflict
> with some security fixes, or to depend on some buggy package, or changing
> the md5sums on some packages so apt'll refuse to install them, or similar.
> This applies whether you have a `progeny' signature on each .deb or not,
> too, note.

Oh, and as has been said many times, no one ever said having a Release.gpg
was a bad idea.

Can we stop the battle of the sigs now please?

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: