* Marc Haber ([EMAIL PROTECTED]) [031201 18:25]: > On Mon, 01 Dec 2003 15:56:59 +0000, Scott James Remnant > <[EMAIL PROTECTED]> wrote: > >Download the source package components, verify their MD5 signatures > >against the Sources file, verify the MD5 signature of the Sources file > >against the Release file and verify that file's GPG signature. This > >proves that the package has successfully passed through the ftp-master > >process and entered the archive.
> The GPG signature on the Release file is automatically generated with > a key that was stored on one of the compromised boxes. That trust > chain is thus broken at its very beginning, and unfortunately the > stable release manager seems to ignore questions on IRC asking for a > 3.0r2 Release file signed with his personal GPG key. It is certainly a very good idea to sign the long living Release-files (also|only) with an off-line key. It would IMHO even better if also the debs are (better) signed than they are, because double protection is always better than single protection. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
