On Mon, Mar 12, 2001 at 12:10:48PM +1000, Anthony Towns wrote: > On Fri, Mar 09, 2001 at 10:36:21PM -0500, Ben Collins wrote: > > > Then IMHO they are not very worthwhile. When the best Debian can do is say > > > 'all packages are signed by one of these 800 keys' :P > > That's why the package should also get signed by the same dinstall key > > that signs the release sig :P > > Oh, btw, for people using dselect, apt and apt frontends, signing just > the .debs isn't enough. Consider somewhen leaving all the .debs exactly > as is, and hax0ring the Packages.gz file to make dpkg appear to conflict > with some security fixes, or to depend on some buggy package, or changing > the md5sums on some packages so apt'll refuse to install them, or similar. > > This applies whether you have a `progeny' signature on each .deb or not, > too, note.
Oh, and as has been said many times, no one ever said having a Release.gpg was a bad idea. Can we stop the battle of the sigs now please? -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
