On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote: > Can someone hack dinstall to install packages which are not PGP signed > but has been copied to incoming? If the UID of the files is the one of a > developer we can know who did upload the package.
No. We know which account the uploader used. (Even that is not true. The uploader may have changed the UID if he obtained root privileges, but then he can bypass dinstall). And what about packages uploaded to chiar or erlangen? We should be talking about improving our security instead (by signing the packages, and not the .changes file). One of these days we will find trojan horses in Debian packages at compromised mirror sites, and will have to hear all that "But, RPM packages are PGPsigned..." stuff again and again. -- Enrique Zanardi [EMAIL PROTECTED] Dpto. Fisica Fundamental y Experimental Univ. de La Laguna -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
