On Tue, Dec 03, 2002 at 09:56:57PM +0100, martin f krafft wrote: > signed packages or release files are being worked on. hold your toes.
been watching the threads on that...
> in the mean time you should bitch heavily at any operator of an
> archive who has a higher version number of some software in his
> archives than one can find in Debian.
yeah, but my concern was how do i know, if all i do is apt-get update
and apt-get upgrade, without watching from where each package is
getting downloaded, and whether or not it's newer than what's on debian.org?
my concern is that if a site were compromised and new packages inserted
(and possibly signed with a made-up gpg key, hence the need for something
more official), someone could 'upgrade' certain packages like, say,
libc6, to contain trojan code. while i'm not as concerned with servers
like ftp.us.debian.org being compromised (though it is a concern to the
pessimist), i'd like to make sure that the extra sources.list entries
i've put in for other things (like, say blackdown) don't do more than
for what i've put them in. is there any way to limit what packages
could be downloaded from what sites?
sean
msg16825/pgp00000.pgp
Description: PGP signature
