Quoting Stephane Dudzinski <stephane at cp.dias.ie>:
> And here's the exact message :
>http://slashdot.org/comments.pl?sid=93397&cid=8019621>> Anyone have been using/testing the trusted-apt he's referring to ?
> Steph
I assumed that debian packages were already using pgp signing to authenicate
that the came from who you expected them to come from. Know that pgp is used
for all the rpms that I download and install (automated so will bomb out of
install if signiture wrong).
But once you use package signing, doesn't it all come down to the same thing,
trust of the supplier. After all, secure connections to a server just mean
that yes your retreiving these from the server, but you still have to trust
whoever put them up there.
tbh, no matter how many layers of security are put between the server and you,
it all depends on whether you trust the person that created the package. To my
mind pgp is sufficient, cause if you don't trust the creator you shouldn't
install any of their packages anyway, no matter where you get them from.
--
Darragh
"Nothing's foolproof to a sufficently talented fool"
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
