On Feb 17, 2008 3:48 PM, Alexander Schmehl <[EMAIL PROTECTED]> wrote: > Yes, as the last couple of announcement did. The problem is, that if we > announce a new release before it is send to the mirrors, mirrors are hit > very hard hindering the sync of our mirror network. > > So in general we first push upgrade to the mirrors, and then sent out > announcements.
That does make good sense, for the masses (of which I am one) I suppose. > Well, a rogue hacker would need to be quite skilled to add some kind of > "bad" package. > > Let's assume he has created a bad package and got control over a mirror > (since he can't upload the package himself that's the only way to > include it). Of course he could add his package to the Debian archive > he has on that mirror, but since packages and releases are signed with > gpg he couldn't benefit from that, since as soon as someone tries to > install his bad package, package management would detect the wrong > signature. Thanks for the explaination Alexander, -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
