On Sun, 2008-07-13 at 16:19 +0930, Karl Goetz wrote: > On Sun, 2008-07-13 at 02:13 +0200, Franklin PIAT wrote: > > Hello, > > > > On Sat, 2008-07-12 at 23:13 +0000, Joe Smith wrote: > > > Andrei Popescu <andreimpopescu <at> gmail.com> writes: > > > > > > > > One costly solution would be to get the client the send a challenge to a > > trusted server, which would respond by gpg-signed the challenge + the > > checksum of current .Release file. > > How would all these schemes work with offline mirrors? eg, ones that are > built, and used without an internet connection for a month.
You would be warned that your security update server can't be contacted/validated, which is accurate. BTW, of course, the GPG wouldn't have to be Debian key, but any trusted key for that purpose (e.g including corporate, Debian derivative key). Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
