Michael Banck wrote: > > Won't somebody else stop the attack in their place then, who does check > the signatures?
If a mirror is compromised, unless I'm missing something, it won't be updated until ftp-master sends a mirror push. And the period of time between the last mirror push, the compromise and the next mirror push might be enough for a buildd to download a compromised package. The buildd owners would be unable to know that the mirror they use was compromised and thus they would probably sign a .changes file for a package which might also be compromised (introducing a signature-verified compromised package in the archive, affecting all users). > > > Michael Regards, Raphael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
