On Thu, Jul 17, 2008 at 03:54:02PM -0400, Jim Popovitch wrote:
But as long as Release.gpg/Timestamp.gpg are local to the mirror(s), and not only on a master, the various .gpg files and packages can, even though difficult, be modified on the single mirror. IMHO, verification needs to have an alternate channel than the downloads.
If someone can modify gpg signatures we have a bigger problem that can't be solved by any solution proposed thus far.
Mike Stone