Thomas Bushnell BSG <[EMAIL PROTECTED]> writes:
> Goswin von Brederlow <[EMAIL PROTECTED]> writes:
>
>> The archive signing key gives absolutely no integrity ensurance on the
>> deb package. The only thing it insures is that the file was not
>> altered _after_ leaving ftp.de.debian.org for the mirrors and/or
>> user. In no way does it prevent altering the deb on ftp-master.
>
> Isn't that a useful assurance? Perhaps I trust the maintenance of
> ftp-master, but not the maintenance of Joe Random Mirror.
It sure is usefull as it removes a lot of untrusted steps from being a
vulnerability. But that doesn't help if the attack happens at
ftp-master.
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
