[Gllug] Linux Conf GUI
Chris Ball
chris at cpan.org
Thu Jul 19 16:06:46 UTC 2001
On Thu, Jul 19, 2001 at 04:54:49PM +0100, home at alexhudson.com wrote:
> On Thu, Jul 19, 2001 at 03:18:27PM +0100, john.hearns at framestore.co.uk wrote:
> > So lets set the ball rolling on a discussion of how downloads like
> > this, and RPMs etc could be signed?
> > (Some savvy person will no doubt explain to us how they can be already).
> dpkg is a little behind, but if it can't do it yet the code is certainly in
> CVS AFAIK.
Sure. The advantage of the Debian Way that hasn't been mentioned, though,
is that Debian enforce package maintainers to sign packages before they
enter the main repository, so you can know that the package was created
by the maintainer and no-one else. On top of that, to be able to sign
for Debian, you have to show your passport (or whatever) to someone who
has already had *theirs* signed - so there's little doubt as to who
created the package. This is greatly unlike downloading random rpms. :)
It doesn't guarantee against someone authorised by Debian putting out
an apt-able trojan; it guarantees that the name on the signature is the
Real-Life Person who uploaded the package, though.
~C.
--
Chris Ball.
chris at cpan.org || http://printf.net/
"You are in a maze of header files, all alike."
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list