* John Goerzen ([EMAIL PROTECTED]) [031201 17:40]: > Even if the attacker could place a new keyring file in the archive, > people verifying signatures on signed .debs would not install it, since > it would not have the signature of a developer.
And to be honest: If all debs are signed, and it is easy possible, I would restrict accepted signatures at my private machine for the keyring package to James - and let me send a mail if there is a keyring package signed by any other DD. So, the real danger would be if James key is stolen. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
