Matt Zimmerman <[EMAIL PROTECTED]> writes: > On Wed, Dec 03, 2003 at 03:07:17AM +0100, Goswin von Brederlow wrote: > > > But this kind of tampering _can_ be checked by apt before installing > > the deb simply by adding a signature verifyer into the > > DPkg::Pre-Install-Pkgs config option, the same mechanism > > apt-listchanges already uses to display only the new section of the > > changelog. > > Indeed, apt can do a lot better, and is very close to doing so. See #203741.
The assumption was that the archive was compromised but the Release.gpg file changed and resigned. #203741 is about checking the Release.gpg chain of trust or is there more hidden in all the mails. Did the BTS reoder the mails, there don't seem to follow a locigal discussion. Haven't bothered to check the timestamps though. MfG Goswin