[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: AW: dselect / apt-get and packages

On Mon, Jul 08, 2002 at 11:31:55PM +0100, Matthew Johnson wrote:
> On Mon, 2002-07-08 at 22:15, Marcel Weber wrote:
> > 
> > Well this would not be a big thing, would it? When I take a look at the ftp
> > server, there is a .dsc with pgp signatures for each package. So letting
> > dselect / aptitude or better dpkg-get doing a check for the key via gpg
> > would be no big deal, or am I wrong? As there are many mirrors worldwide,
> > that could be hacked or something, it would be a huge security improvement.
> The main problem is presumably with trust of the keys. If all the debian
> developers / package maintainers had keys signed by a central debian key
> - they you still have to trust that debian key. Events like debconf
> could certainly be used to check fingerprints and sign keys - but that
> still leaves a lot of ppl without an easy way to check.

Is it possible to make a statistic on how many DD are in this situation ?
What about on identify this "weak nodes" and then try to enforce them ?


Samuele Giovanni Tonon  <samu@linuxasylum.net>   http://www.linuxasylum.net/~samu/
          	Acid -- better living through chemistry.
			       Timothy Leary

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: