On Tue, Dec 03, 2002 at 09:56:57PM +0100, martin f krafft wrote: > signed packages or release files are being worked on. hold your toes. been watching the threads on that... > in the mean time you should bitch heavily at any operator of an > archive who has a higher version number of some software in his > archives than one can find in Debian. yeah, but my concern was how do i know, if all i do is apt-get update and apt-get upgrade, without watching from where each package is getting downloaded, and whether or not it's newer than what's on debian.org? my concern is that if a site were compromised and new packages inserted (and possibly signed with a made-up gpg key, hence the need for something more official), someone could 'upgrade' certain packages like, say, libc6, to contain trojan code. while i'm not as concerned with servers like ftp.us.debian.org being compromised (though it is a concern to the pessimist), i'd like to make sure that the extra sources.list entries i've put in for other things (like, say blackdown) don't do more than for what i've put them in. is there any way to limit what packages could be downloaded from what sites? sean
Attachment:
pgpsDVDAFyqVm.pgp
Description: PGP signature