Re: PATCH: package verification in dpkg
On Mon, Mar 12, 2001 at 12:10:48PM +1000, Anthony Towns wrote:
> On Fri, Mar 09, 2001 at 10:36:21PM -0500, Ben Collins wrote:
> > > Then IMHO they are not very worthwhile. When the best Debian can do is say
> > > 'all packages are signed by one of these 800 keys' :P
> > That's why the package should also get signed by the same dinstall key
> > that signs the release sig :P
>
> Oh, btw, for people using dselect, apt and apt frontends, signing just
> the .debs isn't enough. Consider somewhen leaving all the .debs exactly
> as is, and hax0ring the Packages.gz file to make dpkg appear to conflict
> with some security fixes, or to depend on some buggy package, or changing
> the md5sums on some packages so apt'll refuse to install them, or similar.
>
> This applies whether you have a `progeny' signature on each .deb or not,
> too, note.
Oh, and as has been said many times, no one ever said having a Release.gpg
was a bad idea.
Can we stop the battle of the sigs now please?
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: