Thanks to intrigeri for forwarding this message to me. There are
about 3 developers working on opensync, very part time, and I'm one of
them, and have taken the role of upstream maintainer for the library,
and some plugins as far as I am able. I lack test devices, so cannot
truly support all plug
Chris Frey wrote:
> I'm curious how this issue is going to be handled now that it has been
> discussed. (The archives don't seem to be seeing any new messages on this
> topic.) What has to occur before this cryptographic signing of
> Packages actually happens?
Oops, t
Hi,
I'm curious how this issue is going to be handled now that it has been
discussed. (The archives don't seem to be seeing any new messages on this
topic.) What has to occur before this cryptographic signing of
Packages actually happens?
Does it need to become part of policy? (in which case I
Robert Bihlmeyer <[EMAIL PROTECTED]> wrote:
> That's just the point: the security of a singly-signed Packages.gz
> would not be much higher than that of the ftp sites themselves.
> Nothing to win, here.
Actually I'm not concerned right now with the security of the main
debian ftp site. While tha
Quoting from the mailing list archives... :-)
Marcus Brinkmann <[EMAIL PROTECTED]> wrote:
> On Sun, Mar 26, 2000 at 09:00:34AM +1000, Anthony Towns wrote:
> > The whole file --- verifying each entry would take at least three minutes
>
> I don't think it is useful to sign the Packages file, becau
On Sat, Mar 25, 2000 at 11:03:11PM +0100, Robert Bihlmeyer wrote:
> Chris Frey <[EMAIL PROTECTED]> writes:
>
> > So my question is, what are your thoughts on adding a signature to the
> > current Packages.gz file, or adding a similar *dsc file for it,
> > which is
Hi,
To my understanding the package process is fairly secure on the incoming
side of Debian's package managment system. Maintainers sign their uploads
which prevents a man-in-the-middle attack.
These packages are then checksumed in Packages.gz, but nowhere is that
file signed, that I know of. T
7 matches
Mail list logo
