Christoph Anton Mitterer <christoph.anton.mitte...@physik.uni-muenchen.de> writes: >> ... sources are fetched from Bazaar version control >> repository hosted by launchpad.net. The repository's integrity isn't >> compromized while the cloning, the download, happends. > > I mean regardless of whether you download a tgz or something from VCS,... > this means, that without additional checking, installation of a debian > package introduces unverified code, or not?
Does any of these answer the concerns? 1. Originality of the 4.3a sources? They are the same on disk as they are at the launchpad.net bzr repository (the cloning process; repository download, is in itself a "verification process"). This is different from the possibliity to grab tar.gz files from hosts all over the world (mirrors). There you need *.gpg signature files to verify integrity. The 4.3a sources itself are open for review. 2. tc-installer and patches? The process applies patches to support later kernels. The patches are protected by GPG signature of the whole tc-install*.deb package; inside which they are. 3. Produced *.deb packages that the installer produces? The produced truecrypt *.deb packages are made by the standard Debian packaging commands. They are locally issued by the user who runs tc-dpkg(1) command. The build process runs Truecrypt selfcheck; to check the encryption algorithms. The security of the *.deb packages to enable Truecrypt is under his control. Jari -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
