On Thu, Dec 04, 2003 at 02:41:43PM -0500, Matt Zimmerman wrote: > On Thu, Dec 04, 2003 at 12:28:41PM -0600, Manoj Srivastava wrote: > > > On Thu, 4 Dec 2003 11:47:50 -0500, Matt Zimmerman <[EMAIL PROTECTED]> said: > > > > > What kind of real world attacks do signed debs prevent? Not a > > > compromised buildd, or a compromised maintainer's workstation. > > > > It would allow me to copy .debs around with other people, or > > use .debs not made available through the usual chain of security; as > > long as the author hapens to be in my web of trust. > > What kind of real world attacks do signed debs prevent? > > The only one which comes to mind is a rogue Debian developer that you do not > wish to trust, even though the project trusts him.
Someone pretending to be someone Manoj trusts, offering him a corrupted .deb offline? -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer
