After seeing some trojan horses being spread and Martin trying to make sure xisp can be verified as secure on the debian-user list, I started thinking of how to secure our mirrors. The thought I had was to make pgp signatures of the package files and save them as Packages.pgp. This will not interfear with the current package files, therefore we are still backwards compatable. Then apt could check for a pgp file and verify it for the user. If it fails, it could just warn the user and ask to continue. This would require: a) gnu's version of pgp to work (so that we don't request non-free software to get the free software) and the bad part b) someone to be at the console when generating packages files to type the pgp password. Note that a trojan horse can only be added by a trusted user (i.e. the package maintainer or an ftp site maintainer) unless the upstream source compromised.
Thoughts? Brandon +--- ---+ | Brandon Mitchell * [EMAIL PROTECTED] * http://bhmit1.home.ml.org/ | | The above is a completely random sequence of bits, any relation to | | an actual message is purely accidental. |