Darragh Bailey wrote:
>Quoting Stephane Dudzinski <stephane at cp.dias.ie>:
>>>>>And here's the exact message :
>>http://slashdot.org/comments.pl?sid=93397&cid=8019621>>>>Anyone have been using/testing the trusted-apt he's referring to ?
>>Steph
>>>>>>I assumed that debian packages were already using pgp signing to authenicate
>that the came from who you expected them to come from. Know that pgp is used
>for all the rpms that I download and install (automated so will bomb out of
>install if signiture wrong).
>>But once you use package signing, doesn't it all come down to the same thing,
>trust of the supplier. After all, secure connections to a server just mean
>that yes your retreiving these from the server, but you still have to trust
>whoever put them up there.
>>tbh, no matter how many layers of security are put between the server and you,
>it all depends on whether you trust the person that created the package. To my
>mind pgp is sufficient, cause if you don't trust the creator you shouldn't
>install any of their packages anyway, no matter where you get them from.
>>>not if you can't trust the code running on your machine at the moment.
Though I'm not sure how a reboot would change that too much. Even if
the package from debian.org was perfect, all it takes is apt to s/good
code/bad code/
for your day to get worse.
L.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
