On Fri, Mar 09, 2001 at 10:36:21PM -0500, Ben Collins wrote: > > Then IMHO they are not very worthwhile. When the best Debian can do is say > > 'all packages are signed by one of these 800 keys' :P > That's why the package should also get signed by the same dinstall key > that signs the release sig :P
Oh, btw, for people using dselect, apt and apt frontends, signing just the .debs isn't enough. Consider somewhen leaving all the .debs exactly as is, and hax0ring the Packages.gz file to make dpkg appear to conflict with some security fixes, or to depend on some buggy package, or changing the md5sums on some packages so apt'll refuse to install them, or similar. This applies whether you have a `progeny' signature on each .deb or not, too, note. Cheers, aj -- Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``_Any_ increase in interface difficulty, in exchange for a benefit you do not understand, cannot perceive, or don't care about, is too much.'' -- John S. Novak, III (The Humblest Man on the Net)
pgp9rS8jMz1yW.pgp
Description: PGP signature
