Re: Recent updates

On Feb 17, 2008 3:48 PM, Alexander Schmehl <tolimar@debian.org> wrote:
> Yes, as the last couple of announcement did. The problem is, that if we
> announce a new release before it is send to the mirrors, mirrors are hit
> very hard hindering the sync of our mirror network.
>
> So in general we first push upgrade to the mirrors, and then sent out
> announcements.

That does make good sense, for the masses (of which I am one) I suppose.

> Well, a rogue hacker would need to be quite skilled to add some kind of
> "bad" package.
>
> Let's assume he has created a bad package and got control over a mirror
> (since he can't upload the package himself that's the only way to
> include it). Of course he could add his package to the Debian archive
> he has on that mirror, but since packages and releases are signed with
> gpg he couldn't benefit from that, since as soon as someone tries to
> install his bad package, package management would detect the wrong
> signature.

Thanks for the explaination Alexander,

-Jim P.

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org