Jan Danielsson <jan.m.daniels...@gmail.com> writes: > - If you don't know if: > o the server storage can be trusted > o you can fully trust the link > o you can trust your local storage up until the point at which you > install the package > .. then you need the binary package to be signed.
If you can't trust your local storage, you have no basis for getting anything at all right. Your local storage is where the public keys are stored that you use to validate, where you store files in installed packages, and where you store /usr//bin/login. Seriously - if you can't trust your local computer, it's all over.
