[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Time for apt-secure?

On Mon, Dec 01, 2003 at 11:26:02AM +0200, Camillo Särs wrote:
As an example, 3.0r2 did not install on my system before I reconfigured trust in the archives. This worked as intended, although that may not be immediately obvious.

Where did you get the new key? How did you verify it? Are you aware of
how the archives are signed? Are you aware of how the packages are
built? The signature mechanism will protect against a compromised mirror
but not against a compromised archive. As it turns out that doesn't
appear to ahve happened, but the apt-secure method is insufficient to
demonstrate that.

Mike Stone

Reply to: