Re: AW: dselect / apt-get and packages
On Mon, Jul 08, 2002 at 11:31:55PM +0100, Matthew Johnson wrote:
> On Mon, 2002-07-08 at 22:15, Marcel Weber wrote:
> >
> > Well this would not be a big thing, would it? When I take a look at the ftp
> > server, there is a .dsc with pgp signatures for each package. So letting
> > dselect / aptitude or better dpkg-get doing a check for the key via gpg
> > would be no big deal, or am I wrong? As there are many mirrors worldwide,
> > that could be hacked or something, it would be a huge security improvement.
>
> The main problem is presumably with trust of the keys. If all the debian
> developers / package maintainers had keys signed by a central debian key
> - they you still have to trust that debian key. Events like debconf
> could certainly be used to check fingerprints and sign keys - but that
> still leaves a lot of ppl without an easy way to check.
Is it possible to make a statistic on how many DD are in this situation ?
What about on identify this "weak nodes" and then try to enforce them ?
cya
Samuele
--
Samuele Giovanni Tonon <samu@linuxasylum.net> http://www.linuxasylum.net/~samu/
Acid -- better living through chemistry.
Timothy Leary
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: