Re: PATCH: package verification in dpkg
On Sun, Mar 11, 2001 at 09:53:37PM -0500, Ben Collins wrote:
> > > That's why the package should also get signed by the same dinstall key
> > > that signs the release sig :P
> > Oh, btw, for people using dselect, apt and apt frontends, signing just
> > the .debs isn't enough. Consider somewhen leaving all the .debs exactly
> > as is, and hax0ring the Packages.gz file to make dpkg appear to conflict
> > with some security fixes, or to depend on some buggy package, or changing
> > the md5sums on some packages so apt'll refuse to install them, or similar.
> > This applies whether you have a `progeny' signature on each .deb or not,
> > too, note.
> Can we stop the battle of the sigs now please?
Sure, I just mean it's probably something Progeny and co want to be aware
of. Here seemed as good a place as any to mention it.
Anthony Towns <email@example.com> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``_Any_ increase in interface difficulty, in exchange for a benefit you
do not understand, cannot perceive, or don't care about, is too much.''
-- John S. Novak, III (The Humblest Man on the Net)