On Mon, 25 Jan 1999, Wichert Akkerman wrote:
> If people really want to be able to verify package integrity we might as
> well go the whole way. Ian Jackson posted (1.5 years ago I think) a
> proposal that would secure the complete stage from building a package to
> distribution on the mirrors.
>
On Mon, 25 Jan 1999, Lalo Martins wrote:
> Sounds good, as long as I can shut it off :-) Also, it should
> use the keyring in developers-keyring or one that comes with
> apt, otherwise the point is moot (anyone who can upload a .deb
> with a trojan can upload a Packages.pgp with a signature)
The
If people really want to be able to verify package integrity we might as
well go the whole way. Ian Jackson posted (1.5 years ago I think) a
proposal that would secure the complete stage from building a package to
distribution on the mirrors.
You might want to look that up in the list archives.
Jason wrote:
>
> I would prefer to use the idea of a trusted site (like ftp.debian.org) to
> fetch package file MD5 summs from, that way we do not get involed with the
> sticky issue of cyrpto hooks.
What about:
1. Every package already contains MD5 checksum.
2. Each section contains two new fi
Lalo Martins <[EMAIL PROTECTED]> writes:
> OTOH, we could just sign all packages with a same key ("the
> Debian key"); when dinstall verifies the signature and md5sum in
> the .changes file, it signs the package and updates
> Packages.pgp).
I prefer this method. Then we have less key distributi
On Mon, 25 Jan 1999, Brandon Mitchell wrote:
> for the user. If it fails, it could just warn the user and ask to
> continue. This would require: a) gnu's version of pgp to work (so that we
> don't request non-free software to get the free software) and the bad part
> b) someone to be at the con
On Jan 25, Brandon Mitchell decided to present us with:
> The thought I had was to make pgp signatures of the package
> files and save them as Packages.pgp. This will not interfear
> with the current package files, therefore we are still
> backwards compatable. Then apt could check for a pgp file a
[ hope you don't mind me cc'ing the list, but I think I didn't detail an
important point. ]
On Mon, 25 Jan 1999, Vincent Murphy wrote:
> i would favour another field in the .deb package format which contains a
> signature, which can be used by apt or whatever to verify that it is
> genuine. h
After seeing some trojan horses being spread and Martin trying to make
sure xisp can be verified as secure on the debian-user list, I started
thinking of how to secure our mirrors. The thought I had was to make pgp
signatures of the package files and save them as Packages.pgp. This will
not inter
9 matches
Mail list logo
