Re: Time for apt-secure?

To: debian-security@lists.debian.org
Subject: Re: Time for apt-secure?
From: Michael Stone <mstone@debian.org>
Date: Mon, 1 Dec 2003 06:17:06 -0500
Message-id: <[🔎] 20031201111706.GB1519@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3FCB092A.1090809@iki.fi>
References: <E1APUkT-0007fM-00@calista.eckenfels.6bone.ka-ip.net> <3FC71120.9030005@iki.fi> <20031130183032.GA1519@mathom.us> <[🔎] 3FCB092A.1090809@iki.fi>

On Mon, Dec 01, 2003 at 11:26:02AM +0200, Camillo Särs wrote:

As an example, 3.0r2 did not install on my system before I reconfiguredtrust in the archives. This worked as intended, although that may not beimmediately obvious.


Where did you get the new key? How did you verify it? Are you aware of
how the archives are signed? Are you aware of how the packages are
built? The signature mechanism will protect against a compromised mirror
but not against a compromised archive. As it turns out that doesn't
appear to ahve happened, but the apt-secure method is insufficient to
demonstrate that.

Mike Stone

Reply to:

Follow-Ups:
- Re: Time for apt-secure?
  - From: Camillo Särs <ged@iki.fi>

References:
- Re: Time for apt-secure?
  - From: Camillo Särs <ged@iki.fi>

Prev by Date: Rappel pour les abonnements aux listes sur udius.com
Next by Date: Re: Time for apt-secure?
Previous by thread: Re: Time for apt-secure?
Next by thread: Re: Time for apt-secure?
Index(es):
- Date
- Thread