[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: .deb integrity check

> IMHO, Individual packages should be signed (or md5sums, whatever) by the
> maintainer.  The maintainer should include their public key with the package,
> and that public key should be signed by an official Debian key.  Thus
> verifying that the key is in fact authentic.  Dpkg shouldn't deal with
> authentication, rather apt, or dselect (urg!) - the transport - should check -
> because it's at this point that most packages are downloaded without knowing
> their authenticity.

I think dpkg should do the checking, what if I wget and then dpkg to install a
package? Just like the security advisories sent to bugtraq advise you to do.


-- 
-----------------------------------------------------------------------------
Sarel Botha          |     Computer &           | +27 341 81341
(sjb@dundee.lia.net) |        Accounting        | BOX 2065, Dundee
                     |           Services       | 3000, South Africa
-----------------------------------------------------------------------------
 "The End is near." -- http://www.geocities.com/Athens/Olympus/7771/666.htm
-----------------------------------------------------------------------------
Reply to: