Re: trusting .deb packages

To: debian-user@lists.debian.org
Subject: Re: trusting .deb packages
From: john doe <johndoe65534@mail.com>
Date: Wed, 25 Jul 2018 11:39:20 +0200
Message-id: <[🔎] 0e5e4338-5e87-8eca-242d-2f3ec6c7bba0@mail.com>
In-reply-to: <[🔎] 73cd3141-0c5d-0270-b33b-6b5e7b9ae61c@affinityvision.com.au>
References: <[🔎] 1532447138.234954.1451339080.32FD8B04@webmail.messagingengine.com> <[🔎] 20180724164321.gmtbaj5xts2idra3@randomstring.org> <[🔎] bc658ffd-cf82-0a8c-6750-d603b15966f7@mail.com> <[🔎] 73cd3141-0c5d-0270-b33b-6b5e7b9ae61c@affinityvision.com.au>

On 7/25/2018 7:40 AM, Andrew McGlashan wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 25/07/18 04:31, john doe wrote:

Also verifying signature using gnupg and checksum is a must
(sha512).


Such verification is suspect, anyone can create gpg keys for anyone
(so trust in the keys used is essential, but more difficult to attain)


Yes, that is why the web of trust is for.

https://en.wikipedia.org/wiki/Web_of_trust

and if you download "supporting" files from a site, then the checksums
and signatures can verify perfectly well ..... but the product is
still suspect.


You are correct, all relise on the web of trust, which has also flaws.

Checksum will only insure that the file is properly transfered (notcorrupted).


https://en.wikipedia.org/wiki/Checksum

--
John Doe

Reply to:

References:
- trusting .deb packages
  - From: Anil Duggirala <anilduggirala@fastmail.fm>
- Re: trusting .deb packages
  - From: Dan Ritter <dsr@randomstring.org>
- Re: trusting .deb packages
  - From: john doe <johndoe65534@mail.com>
- Re: trusting .deb packages
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Wine error message
Next by Date: Re: [OT] An easier database
Previous by thread: Re: trusting .deb packages
Next by thread: Re: trusting .deb packages
Index(es):
- Date
- Thread