> Please provide a demonstration attack that would force users into > downloading, and wrongly checking, a malicious package. The only way that can > happen is if a mirror is already compromised, and that's why whe have > per-signature GPG releases for the archive [1].
Verification of signatures is unfortunately not available in woody or sarge. Secondly, Debian mirrors have been hacked a couple of times, haven't they? And besides, users can still be easily tricked into believing the signatures on the mirror were wrong and can possibly be tempted to use some alternative source provided by an attacker, etc. > A proper fix would take the MD5sum from somewhere and not the user's > submission [...]. Sounds like a good plan to me. Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
