Jon, regarding your recent column at your insightful column at Securityfocus (http://www.securityfocus.com/columnists/48) regarding package manipulation and troyan insertion. Well, I have been discussing this issue in Debian for a while and just yesterday (IIRC, but could be checked at cvs.debian.org) sent a new version of the "Securing Debian HOWTO" (available at http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) which does talk about the package signing stuff and Debian's point of view regarding it. As you say in your column, you currently *can* check signatures in Debian, but, it's not enabled by default since the proposed scheme has not yet been decided upon (check the HOWTO for more information).
BTW, I did write this info *before* reading your column (just in case you were wondering), as a matter of fact I had the notes for about a week but had to get some time to write it down :) In any case, I wanted to comment this info just in case you want to update your column to add additional info. Regards Javier Fern�ndez-Sanguino Pe�a -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
