Re: Signing Packages.gz
Anthony Towns wrote:
> Just about everything is prone to the hack-a-mirror thing at the very
> first point. If you hack-a-mirror and change James' key in debian-keyring,
> and no one has a copy of debian-keyring already do compare it against,
> you're stuck.
>
> The dinstall key could be verified by:
>
> * the web of trust, and having the ftp-team sign it
>
> * putting a fingerprint on the website and in Debian books,
> and making it easy for people to verify said fingerprint
*** Warning, duplicate subthread detected ***
Original thread: http://www.debian.org/Lists-Archives/debian-devel-9906/thrd3.html#01350
Most relevant summary message: http://www.debian.org/Lists-Archives/debian-devel-9906/msg01428.html
DWN Summary: http://www.debian.org/News/weekly/1999/24/
This has been a public service announcement, courtesy of DWN.
Reply to: