Re: Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
> On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
> 
> <aleksis.jauntevs@xxxxxxxxx> wrote:
> > I dont think that repo.db should be signed and it is enough to sign only
> > the
> > packages. As I understand so far the only reason to sign repo.db file is
> > to
> > prevent "replay" situations in repos.
> 
> It's the other way round: signing the DB is important while signing single
> packages is not (but should still be done for some reasons).
> 
> If the DB is not signed I could simply add additional packages or replace
> packages.

Yes, but if we compare the repo.db's with other mirrors then we could tell 
that this has happened.

-- 
Aleksis Jauntēvs


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux