On Sat, Apr 01, 2000 at 08:52:36PM +0200, Torsten Landschoff wrote: > On Sat, Apr 01, 2000 at 04:00:20PM +0200, Marcus Brinkmann wrote: > > > It seems you feel personally insulted. I am sorry for this, but > > unfortunately it doesn't change the situation that the signed packages case > > adds a further point of weakness to the chain of trust. > > Interesting. So signing Packages.gz will lower the security?
No. Currently there is NO chain of verification (I should not have said "trust", it's the wrong term. Sorry). However, it doesn't establish a complete chain of verification from the developers to the users, au contraire to what you seem to believe. > > We already use link 1 (signed changes files), and trust it. This won't > > be changed by either proposal. Yes, even in the signed packages file you > > trust all developers keys. > > There is a difference between our master server trusting the uploaded changes > files. master will by definition always have the current keyring. The user > might not. Yes, but this doesn't change the point. The problem of out of date keys is a known problem in any public key cryptosystem. > Okay - signing Packages will make Debian as secure as master is. Fine. > We must assume that master is secure otherwise we are doomed anyway. Wrong. If you have signed debs, and you are careful when updating the debian-keyring package, there is no risk even if master is compromised. > Currently Debian is as secure as the worst maintained mirror. > > > What link 2 asserts instead is that the packages come from master. It solves > > the mirror problem, but does not solve the master problem. > > So let's fix the mirror problem and let the master problem for later. This is the Debian way, right? Fetching the stick at the wrong end first. (Yes, this is a troll). Thanks, Marcus -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server Marcus Brinkmann GNU http://www.gnu.org for public PGP Key [EMAIL PROTECTED], [EMAIL PROTECTED] PGP Key ID 36E7CD09 http://homepage.ruhr-uni-bochum.de/Marcus.Brinkmann/ [EMAIL PROTECTED]
