Hi! * Jim Popovitch <yahoo@jimpop.com> [080217 20:43]: > > Subscribe to debian-announce: > > http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html > I hope you are teasing, or perhaps you didn't see my first sentence > where I stated that I had not seen any other news about this. I have > been subscribed to d-a, as well as d-s, and d-i, and d-v..... the > problem was the updates hit the mirrors before the announcement hit > the wire. Yes, as the last couple of announcement did. The problem is, that if we announce a new release before it is send to the mirrors, mirrors are hit very hard hindering the sync of our mirror network. So in general we first push upgrade to the mirrors, and then sent out announcements. > Normally this wouldn't be much of an issue, but the formal signed > announcement is the only way for most of us to know that the updates > are legit and not a nefarious action by some rogue hacker. Well, a rogue hacker would need to be quite skilled to add some kind of "bad" package. Let's assume he has created a bad package and got control over a mirror (since he can't upload the package himself that's the only way to include it). Of course he could add his package to the Debian archive he has on that mirror, but since packages and releases are signed with gpg he couldn't benefit from that, since as soon as someone tries to install his bad package, package management would detect the wrong signature. Yours sincerely, Alexander -- http://learn.to/quote/ http://www.catb.org/~esr/faqs/smart-questions.html
Attachment:
signature.asc
Description: Digital signature