Why can't apt-get be modified to check the md5sum of a package against an official debian md5sum list before downloading and installing debs? This seems much simpler and easier than signing debs.
On Friday 18 October 2002 09:55 am, Jan Niehusmann wrote: > On Fri, Oct 18, 2002 at 08:20:14AM -0500, Joseph Pingenot wrote: > > If people are interested enough in it, I might throw together something > > more formal. > > IMHO there is no lack of interesting ideas - what we really need are > implementations. > > apt-check-sigs is a nice proof-of-concept, and the debsigs stuff could > also improve security significantly. Together, I'd say they'd suffice to > make the debian mirrors extremely tamper-proof. > > But apt-check-sigs is lacking nice integration into existing tools, and > debsigs doesn't really work, because packages are not signed, which is > IMHO caused by inappropriate helper tools at packaging time. > > So implementing these tools, and then changing policy to make package > signatures mandatory, seems to be the most feasible approach. > > Writing new proposals for advanced security schemes doesn't help and may > even delay implementation of working mechanismns. > > Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
