> The databases (lists) are not very large, as far as I understand, but
> it wasn't my call ("repositories" in the 4th line is a typo; I meant
> "databases"). I'm not an Arch Linux developer; I'm just contributing
> to their effort to implement package signing.> Individual packages will be signed, but for complete security, the > databases must themselves also be signed; otherwise, an attacker could > use DNS spoofing to deliver a database listing outdated packages with > known vulnerabilities, and it would happily be accepted by end-users' > systems. The vulnerable packages would not be updated, but the users > would most likely not notice, since other packages would be updated. All makes sense. Just don't get why it's so expensive to download a small package list? -- Jerome Baum tel +49-1578-8434336 email jer...@jeromebaum.com web www.jeromebaum.com -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
