martin f krafft <[EMAIL PROTECTED]> writes: > > > I think, adding package signatures will actually make Debian less > > > secure than it was before, although it's doubtful that the average > > > user will notice or care. > > > > How can it make it less secure? > > It gives the users a false sense of security. Having the package > verify suggests that it is authentic, when in fact it only says that > it has been uploaded by someone with control over any of the Debian > developer GPG keys.
But how does this "false sense" cause a problem? For example, if users regularly scanned all the source code on their system, and this would cause them to stop doing so, then the false sense would be a problem! In other words, what makes a false sense of security dangerous is when it leads someone to stop being careful about things that they otherwise would be. But right now, what care is anyone actually taking to make sure that the ssh binaries they get from Debian aren't compromised? > I see that this goes both ways and does also raise security. But > do you also see my point? I do see how it could create a false sense of security. I do not see what the damage that false sense is causing in this case. > Good point. And also: uploading once every six months does not > ensure that the developer otherwise treats his/her key safely. Thus, > it does not really address the issue. Please don't speak of "the issue". There are many issues, and why I object to your "do nothing" proposal, as that it seems to me that you are saying we should solve any of these issues until we can solve them all. This attitude is facilitated by treating it as "the issue", which isn't solved (in your mind) unless it is solved in its entirety. Instead, think about it as many different issues. We can solve one of them, and thus make progress, without necessarily having solved every one. The logical conclusion from your arguments is that we should actually remove the ssh package from Debian! Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
