also sprach Florian Weimer <fw@deneb.enyo.de> [2006.03.02.2006 +0100]:
> By default, package authenticity is not validated in sarge and
> earlier releases. From a security POV, it's better to download
> those updates from a limited set of well-maintained servers. It
> reduces the attack surface somewhat.
Sure it does. But it cannot be the reason why there are no
officially-endorsed mirrors -- I'd just upload my trojans to sarge's
archive with a higher version number then.
http://www.debian.org/security/faq#mirror
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
"doesn't he know who i think i am?"
-- phil collins
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)