"Jim Popovitch" <[EMAIL PROTECTED]> writes: > On Thu, Jul 17, 2008 at 3:43 PM, Goswin von Brederlow <[EMAIL PROTECTED]> > wrote: >> The simple solution would be to create a Timestamp.gpg file that is >> signed daily (as oppsoed to Release.gpg being signed only on updates) >> and have apt-get warn if it gets old. > > But as long as Release.gpg/Timestamp.gpg are local to the mirror(s), > and not only on a master, the various .gpg files and packages can, > even though difficult, be modified on the single mirror. IMHO, > verification needs to have an alternate channel than the downloads. > > -Jim P.
They can not be modified since gpg protects against that. They can only be replayed with an older version. And then the timestamp will be old. => detectable. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]