On Sun, Aug 16, 2009 at 05:04:21AM -0500, Dave Sherohman wrote: > Always obtain your checksums via an alternate (cryptographically- > secured) path, not directly from the data they're being used to verify.
The Debian package management system uses a different strategy: The path itself need not be secure (because, well, nobody really likes the central CA approach of SSL ;-) ). Rather, the distribution signs the media itself (Packages, Sources and Release files). (In case the torrent content in question is debtorrent and alike) -- Tzafrir Cohen | [email protected] | VIM is http://tzafrir.org.il | | a Mutt's [email protected] | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
