* Michael Banck: > Assuming that compromised mirrors get quickly identified by people using > signatures, and buildd packages having to be uploaded directly, the > amount of compromised packages this way is probably small, so they can > be rebuilt using packages from another mirror, after the build logs have > been inspected to see whether compromised packages have indeed been > used.
I think it's possible to detect on the mirror side if the downloader is going to verify any signatures. So it's possible to avoid the kind of detection we get for free. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
