* Joey Hess ([EMAIL PROTECTED]) [031202 02:55]: > Goswin von Brederlow wrote: > > What can we do with deb signatures? > > > > For our current problem, the integrity of the debian archive being > > questioned, the procedure would be easy and available to every user: > > > > 1. get any clean Debian keyring (or just the key signing the keyring) > > 2. verify the latest Debian keyring > > 3. verify that each deb was signed by a DD and the signature fits
> The canoical attack against signed debs in this situation is to find a > signed deb on snapshot.debian.net that contains a known security hole. To avoid this attack, it is necessary that the filename of the deb or the version of the package is also signed. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
