Il 18/05/2018 07:31, Fiedler Roman ha scritto: > I thought about that also, but shouldn't 99%+ of systems perform no pinning > whatsoever of packages to repositories? In that case, the "wrong" repository > could publish just a slightly increased package version number of a package > from another repository. Unattended updates will apply it anyway and also for > users it would be hard noticing it: at least my "apt-get" version does not > show any information about the repository a package would be downloaded from > before confirming the installation. Thus the user would have to check each > single package manually by invoking "apt-cache policy [pkg-name]" or use > "apt-get download [packagelist]", check the logs and install packages with > "dpkg". Well, assume that who can publish to a repo you trust *is root* on your machine. Even if you could pin the package, what prevents him from adding a suid exe ?
> Unless my system is misconfigured or other assumptions do not hold true, that > would imply, that the only security benefit from key pinning is only about > maintenance, making detection/pruning of stale keys easier. That's exactly what ther're for. BYtE, Diego _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
