On Mon, Sep 22, 2003 at 04:25:23PM +1000, Anthony Towns wrote: > http://people.debian.org/~ajt/apt-check-sigs > > There's a patch to apt floating around that integrates this checking > properly too.
I know that there several implementations of this concept (one is even in the APT CVS, I think), but unless this is enabled by default (and can be enabled retroactively for existing stable installations), our problem isn't solved. Keep in mind that many people assume that GNU/Linux distributions are "secure by default", so it's quite improbable that they will install random additional packages to resolve security issues they don't understand. (And we can't force them because the externally visible effect of signature checking is minimal.)
