* Message by -Jim Popovitch- from Sun 2008-06-08: > On Sun, Jun 8, 2008 at 12:30 PM, Bernd Eckenfels <[EMAIL PROTECTED]> wrote: > > In article <[EMAIL PROTECTED]> you wrote: > >> It's mirror's like that, that make me paranoid about Debian Security. > > > > Why is that? IIS is the second most used web server on the market. And since > > mirrors are not a trusted part of software distribution anyway, I dont see > > an issue here. > > Here's my issue, please correct me if I am wrong. .debs and sigs both > exist on the same server. If the Windows box/network is compromised, > then the sigs and debs can be modified and who would know?
The one who checks the 'sigs' will know that, for an attacker will not be able to forge cryptographic signatures for his modified packages. These ARE cryptographic signatures, or am I mistaken? If I am, then of course you are right, and the rationale behind the 'sigs' would have to be questioned in the first place.
pgprZoblGn5Zn.pgp
Description: PGP signature
