[Catalog-sig] How to verify cheeseshop signatures?
"Martin v. Löwis"
martin at v.loewis.de
Sun Oct 23 21:32:08 CEST 2005
Phillip J. Eby wrote:
>> So the assumption is that the cheeseshop is trusted, right?
> Right, but only at the same level that the cheeseshop-provided md5 is
> correct. Assuming that the cheeseshop download area is distinct from
> the cheeseshop application database, and one might be hacked but not the
> other, then keeping the information separate is more useful than storing
> it together.
Of course, this assumption is wrong: the download area is not different
from the database, and whoever can hack one can easily hack the other.
More information about the Catalog-sig