>IMHO there is no lack of interesting ideas - what we really need are >implementations.
Ja. I just have to find the time. :) >apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could >also improve security significantly. Together, I'd say they'd suffice to >make the debian mirrors extremely tamper-proof. >But apt-check-sigs is lacking nice integration into existing tools, and >debsigs doesn't really work, because packages are not signed, which is >IMHO caused by inappropriate helper tools at packaging time. Hrm. I guess I'll have to check into those. >So implementing these tools, and then changing policy to make package >signatures mandatory, seems to be the most feasible approach. Making package sigs mandatory is the critical bit, IMHO. -Joseph -- [EMAIL PROTECTED] "Alt text doesn't pop up unless you use an ancient browser from the days of yore. The relevant standards clearly indicate that it should not, and I only know about one browser released in the last two years that violates this, and it's still claiming compatibility with Mozilla 4 (which was obsolete quite long ago), so it really can't be considered a modern browser." --jonadab, in a slashdot.org comment.
