[Gllug] Linux Conf GUI

home at alexhudson.com home at alexhudson.com
Thu Jul 19 15:54:49 UTC 2001


On Thu, Jul 19, 2001 at 03:18:27PM +0100, john.hearns at framestore.co.uk wrote:
> So lets set the ball rolling on a discussion of how downloads like
> this, and RPMs etc could be signed?
> (Some savvy person will no doubt explain to us how they can be already).

rpm --verify
rpm --addsign
rpm --resign

dpkg is a little behind, but if it can't do it yet the code is certainly in
CVS AFAIK. 

But, as I said, signing doesn't mean a package is safe - it verifies where
it came from and who made it (so long as the person who holds the private
key doesn't lose it :( Even then, revocation should sort that out).

I would like to see anyone attempt to claim that they know for sure that the
software they have on their machine is untampered with - you can't know for
sure. You can try pretty hard, like not piping stuff from websites to a root
shell, not downloading from rpmfind, not trusting anything non-major league
from freshmeat, etc. But we're talking degrees - the actual problem remains.

Cheers,

Alex.

-- 

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list