Re: PATCH: package verification in dpkg
On Mon, Mar 12, 2001 at 04:34:29PM +1000, Anthony Towns wrote:
> On Sun, Mar 11, 2001 at 09:53:37PM -0500, Ben Collins wrote:
> > > > That's why the package should also get signed by the same dinstall key
> > > > that signs the release sig :P
> > > Oh, btw, for people using dselect, apt and apt frontends, signing just
> > > the .debs isn't enough. Consider somewhen leaving all the .debs exactly
> > > as is, and hax0ring the Packages.gz file to make dpkg appear to conflict
> > > with some security fixes, or to depend on some buggy package, or changing
> > > the md5sums on some packages so apt'll refuse to install them, or similar.
> > >
> > > This applies whether you have a `progeny' signature on each .deb or not,
> > > too, note.
> > Can we stop the battle of the sigs now please?
>
> Sure, I just mean it's probably something Progeny and co want to be aware
> of. Here seemed as good a place as any to mention it.
Ok. I think progeny is going with "release" signatures on the .deb's
though, since they don't have to worry about b/w and mirrors like we do.
John may want to consider looking in to the signed release file too.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: