>From where comes the trust for your archive? Let me explain something that I am sure you are fully aware, just to point it out.
Your site says to download the following keyring file in order to trust your packages: http://www.debian-multimedia.org/pool/main/d/debian-multimedia-keyring/debian-multimedia-keyring_2010.12.26_all.deb Lets say that I work for the NSA, FBI, etc. and I want to gain access to someone's computer. All that I have to do is to use a man in the middle attack so that when such a request comes across the wire for that key file, it will instead receive my evil exploit key file instead. Once a user installs your package, and configures their system to your your package archive, then I can replace ANY file on their system simply by providing an updated version of such file. I would also have to mirror your archive and block their access to it, or create some other way so that it would be difficult for them to verify my actions. However, that is quite trivial when I would also have direct access to their network connection. I could just send an exploit package file, but then they could use your real key file to see that it was a forgery. So, by intercepting requests for your key file, I could compromise thousands of computers. This might seem a bit paranoid, however, I live in the USA. So, as you probably are well aware, my Government loves to spy on us Citizens, even without warrant or cause. So, I am basically stuck blindly trusting that your keyring file has not been compromised and that your website is not an evil mirror. You might at least put up a secure SSL connection so that someone might have some chance to blindly trust your server's files. However, if you live in France, that might not be possible as I read somewhere that it is illegal to use crypto there. So, the only real way to provide some trust is to have your key package file included in the official debian archive. That way, if someone were to want to use your archive, then they could simply install your keyring package and then they would not have to blindly trust your server. Sincerely, The Suspect
