Re: deb-multimedia repository
On Wed, 2013-08-21 at 22:20 +1000, Zenaan Harkness wrote:
> On 8/21/13, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> > On Wed, 2013-08-21 at 13:38 +0200, Jochen Spieker wrote:
> >> Essentially, you have a chicken and egg problem.
> >
> > Wrong!
>
> Subtle!
>
> > Keys usually are available by a keyserver you could trust, so for the
> > first time you'll get the key this way. Such a package will update keys
> > as long as the older keys still can be used.
>
> This makes sense, but aren't you just pushing the "chicken or egg"
> problem to the keyserver?
>
> Ie, how do you trust the keyserver?
>
> If this 'problem' were not the case, then why does not the packages
> pre-depends on -keyring, and automatically install it first, without
> any security problems, and without any warning to user?
>
> Surely if this were possible, that's what would be done?
If you download the key from the keyserver, than you'll only get a key.
If you download the package with the key or keys, than you'll get a
package. On the data highway on the Internet, from the server to you,
the package might get corrupted and perhaps doesn't include a key, but
malicious software.
So getting a key from a keyserfer first IMO is safer.
Reply to: