* Scott James Remnant ([EMAIL PROTECTED]) [031201 18:40]: > On Mon, 2003-12-01 at 16:26, John Goerzen wrote: > > Even if the attacker could place a new keyring file in the archive, > > people verifying signatures on signed .debs would not install it, since > > it would not have the signature of a developer.
> What defines "the signature of a developer"? That their key is in the > keyring, so if a hax0r decided to comprise our keyring and add a key to > it, there'd be no way to tell that it wasn't a developer's key. For dpkg on my computer: That the signature is in _my_ _currently_ installed keyring package. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
