On Thu, Dec 04, 2003 at 03:58:38PM -0500, Daniel Jacobowitz wrote: > On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote: > > What kind of real world attacks do signed debs prevent? > > > > The only one which comes to mind is a rogue Debian developer that you do > > not wish to trust, even though the project trusts him. > > Someone pretending to be someone Manoj trusts, offering him a corrupted > .deb offline?
s/offline/without the corresponding signed metadata/ The advantage would certainly appear to be one of convenience (keeping everything in one file), rather than security (preventing attacks). -- - mdz
