On Thu, Dec 21, 2000 at 08:12:14PM +0100, Christian Kurz wrote: > On 00-12-21 Colin Phipps wrote: > > On Thu, Dec 21, 2000 at 04:09:07PM +0100, Christian Kurz wrote: > > > And who will create this key? Who will have the passphrase? Who will > > > sign the packages? > > > Someone on master.debian.org, presumably the ftp admins. > > And so you trust this admins? Just asking because some people here have > a lot of paranoia.
Signing packages on the master mirror guards against compromised or spoofed mirrors. Not trusting the master mirror or its admins is a separate, and much harder problem. -- Colin Phipps http://www.netcraft.com/
