Only the .torrent file needs to be trusted. It contains a SHA-1 hash for each of the pieces it would expect to download. As long as the .torrent is signed by say the Debian or Ubuntu key you should be right. Any pieces sent by bogus seeds will be rejected.
It's funny - I was talking about exactly this idea with my son on the weekend. (Maybe someone should check whether a patent application has already gone in for this one :-) Martin On 11/8/06, Michael Lake <[EMAIL PROTECTED]> wrote:
Ken Foskey wrote: > Why don't we have apt-bittorrent. I would be happy to participate if > the setup could be set so I could permanently seed any packages in my > package directory with my off-peak data rate and rational throttling. > > Ubuntu / debian provides the tracker and a seed, and then the swarm > takes over and if you wanted to mirror, eg Optus, you simply become a > seed yourself. But any of those seeds could insert a trojan in a deb. > The apt tracker would have entries for every valid package (valid being > stable, testing, unstable) you would simply connect to the 'known' > tracker for that package and BT download it. It would also have to do checksums and to so this it must refer back to a central trusted repository. Mike -- Michael Lake Computational Research Support Unit Science Faculty, UTS Ph: 9514 2238 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
-- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
