On Sun, Mar 11, 2001 at 09:53:37PM -0500, Ben Collins wrote: > > > That's why the package should also get signed by the same dinstall key > > > that signs the release sig :P > > Oh, btw, for people using dselect, apt and apt frontends, signing just > > the .debs isn't enough. Consider somewhen leaving all the .debs exactly > > as is, and hax0ring the Packages.gz file to make dpkg appear to conflict > > with some security fixes, or to depend on some buggy package, or changing > > the md5sums on some packages so apt'll refuse to install them, or similar. > > > > This applies whether you have a `progeny' signature on each .deb or not, > > too, note. > Can we stop the battle of the sigs now please?
Sure, I just mean it's probably something Progeny and co want to be aware of. Here seemed as good a place as any to mention it. Cheers, aj -- Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``_Any_ increase in interface difficulty, in exchange for a benefit you do not understand, cannot perceive, or don't care about, is too much.'' -- John S. Novak, III (The Humblest Man on the Net)
