[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 and how it does *not* solve the problem

>>>>> "Bron" == Bron Gondwana <brong@brong.net> writes:


Bron> This doesn't work.  The problem is basically:

Bron> a) what about a package which they uploaded while valid, more than
Bron> 6 months ago, that someone wants to download and install now.
Bron> b) if by date, what's to stop someone backdating a package and
Bron> falsifying a mirror/proxy with a copy of their package.  The
Bron> signature will still check out.

AFAIK, developer keys aren't used to sign packages in the archive.
They are only used to upload packages.  When you check the signature
from the repository, you are checking it against the Debian archive key
(which changes periodically).

(note: I am not a DD, and I've only been loosely following apt 0.6.  But
I am a package maintainer.)

Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.

Reply to: