Hi,
>>"Fabrizio" == Fabrizio Polacco <[EMAIL PROTECTED]> writes:
>> If per file mdsums are to be recorded, then maybe hte too should
>> be pgp-signed (possibly by dpkg at package build time, possibly a
>> detached signature).
Fabrizio> as I already said, I think that maintainer's signatures are
Fabrizio> essential for the Debian Installer to certify the origin and
Fabrizio> integrity of the uploaded things, but could give a fake
Fabrizio> security if checked by users later (maybe months later) on
Fabrizio> installed systems.
This is still better than having an unsigned md5sums file; the
window of malice is only open to someone who has the original
packagers private key; and we can assign a lower level of trust if
the key does not occur in a widely distributed upto date copy of the
Debian _active_ keyring. Keys that are known to be compromised ca be
revoked.
If tested against such a keyring, if the md5sums file is also
date stamped, if the signature fails because no key is found is an
old package, whose maintainer is no longer active (but not a known
rogue -- those would have a revoked bertificate). Checking aganst the
debian-keyring file (which, like the current one, contains all
developer keys, past ot present) shall ensure it was signed by a
debian developer at some time.
Not perfect, but it is fairly secure, I think, as long as an
updated keyring file can be reliably obtained. (An old developer may
have had thier key compromised or have gone rogue unnoticed, but
that's a lower probability event).
manoj
--
America has been discovered before, but it has always been hushed
up. Oscar Wilde
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
