Justin Mason wrote:
a question that Henry put to me -- should sa-updates of the main ruleset
mandate that GPG verification be used?
Otherwise an attacker that rooted the download server (or a mirror) could
put out faked updates, which would be automatically downloaded by
thousands of servers.
I'm tempted to say yes, obviously ;)
--j.
My personal opinion, absolutely yes. A modern server system should need
GPG for other verification reasons too, and it should be easily
installable from a package in most cases. If a distro doesn't have it,
then this further encourages them to include it.
Warren Togami
[EMAIL PROTECTED]
