Hello !
I am right now upgrading my debian potato from the mirror ftp.it.debian.org and at the same time i am reading about all that troian viruses to be "used" with win95. Now, i am trusting the security of my system (nothing so important, right now, but ...) in the hand of the system administrator of the debian mirror. This is somewhat suboptimal. I propose that in every package .deb there should be attached a GPG or PGP signature by the developer or the relase manager and that signature is to be verified by dpkg and of course dselect, apt ,... I propose even an easy way to verify that a pubblic key is really from debian: somebody put up an answering machine at a certain telephone number that say in a clean and understandable voice: "the fingerprint of the key of the debian potato distribution is ....". Now the cracker has to work a little more before you load his troian. If that number is a pay phone (like phorno numbers) the debian organization could even gain a little of money: i would surely pay 2 or 3 euro to improve the security of my system if i knew that that money go to a good cause. I am sorry if this is offtopic. Ciao, Marco. PS. I am not subscribed. Please put a cc to me. -- This is not a Sig. (With homage to Magritte).