On Mon, Mar 12, 2001 at 04:34:29PM +1000, Anthony Towns wrote: > On Sun, Mar 11, 2001 at 09:53:37PM -0500, Ben Collins wrote: > > > > That's why the package should also get signed by the same dinstall key > > > > that signs the release sig :P > > > Oh, btw, for people using dselect, apt and apt frontends, signing just > > > the .debs isn't enough. Consider somewhen leaving all the .debs exactly > > > as is, and hax0ring the Packages.gz file to make dpkg appear to conflict > > > with some security fixes, or to depend on some buggy package, or changing > > > the md5sums on some packages so apt'll refuse to install them, or similar. > > > > > > This applies whether you have a `progeny' signature on each .deb or not, > > > too, note. > > Can we stop the battle of the sigs now please? > > Sure, I just mean it's probably something Progeny and co want to be aware > of. Here seemed as good a place as any to mention it.
Ok. I think progeny is going with "release" signatures on the .deb's though, since they don't have to worry about b/w and mirrors like we do. John may want to consider looking in to the signed release file too. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
