On Sat, 1 Apr 2000, Marcus Brinkmann wrote: > Wrong. If you have signed debs, and you are careful when updating the > debian-keyring package, there is no risk even if master is compromised.
Hahha! Sorry, your are deluded if you belive this :> Seriously, if someone can hack master we are all vunerable - how many people out there do you think use the same password on master as on their home boxes? How many people foward ssh agents and put that key in their home .ssh/authorized_keys? How many people have foolishly left their pgp key on master? Hint: Lots to all of the above [except the last, we purged a bunch of people for that awhile ago]. If master is compromized right now, we would take the d-changes archive from a more secure machine [which we may not even have, hence the interest in storing that in the archive], a slink cd, some potato CDs developers might have, etc, and begin painstakingly verfiying each and every .deb and .dsc to make sure it comes from where it was supposed to come from - there is no automated way to do this and only people like James would actually know who should be singing what packages. Jason
