Re: .deb integrity check
From: Joey Hess <joey@kitenet.net>
> Amos Shapira wrote:
> > It should be somehow possible to verify WHICH key should be verified,
> > and be able to obtain this in an independent way (i.e. if the package
> > is modified, and the key to be verified is directed to the cracker's
> > key then your verification wouldn't reveal this, would it?).
>
> If the package has to be signed by a key in the debian keyring, which itself
> must be signed by a single key, they can't do this.
Sounds like the answer to my point. So what's preventing the addition
of this to dpkg? Manpower or crypto laws?
Cheers,
--Amos
--Amos Shapira | "Of course Australia was marked for
| glory, for its people had been chosen
amos@gezernet.co.il | by the finest judges in England."
| -- Anonymous
Reply to: