On Mon, Jul 08, 2002 at 11:31:55PM +0100, Matthew Johnson wrote: > On Mon, 2002-07-08 at 22:15, Marcel Weber wrote: > > > > Well this would not be a big thing, would it? When I take a look at the ftp > > server, there is a .dsc with pgp signatures for each package. So letting > > dselect / aptitude or better dpkg-get doing a check for the key via gpg > > would be no big deal, or am I wrong? As there are many mirrors worldwide, > > that could be hacked or something, it would be a huge security improvement. > > The main problem is presumably with trust of the keys. If all the debian > developers / package maintainers had keys signed by a central debian key > - they you still have to trust that debian key. Events like debconf > could certainly be used to check fingerprints and sign keys - but that > still leaves a lot of ppl without an easy way to check.
Is it possible to make a statistic on how many DD are in this situation ? What about on identify this "weak nodes" and then try to enforce them ? cya Samuele -- Samuele Giovanni Tonon <[EMAIL PROTECTED]> http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
