also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.02.2006 +0100]: > By default, package authenticity is not validated in sarge and > earlier releases. From a security POV, it's better to download > those updates from a limited set of well-maintained servers. It > reduces the attack surface somewhat.
Sure it does. But it cannot be the reason why there are no officially-endorsed mirrors -- I'd just upload my trojans to sarge's archive with a higher version number then. http://www.debian.org/security/faq#mirror -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "doesn't he know who i think i am?" -- phil collins
signature.asc
Description: Digital signature (GPG/PGP)
