[Catalog-sig] How to verify cheeseshop signatures?

"Martin v. Löwis" martin at v.loewis.de
Sun Oct 23 21:32:08 CEST 2005

Phillip J. Eby wrote:
>> So the assumption is that the cheeseshop is trusted, right?
> Right, but only at the same level that the cheeseshop-provided md5 is 
> correct.  Assuming  that the cheeseshop download area is distinct from 
> the cheeseshop application database, and one might be hacked but not the 
> other, then keeping the information separate is more useful than storing 
> it together.

Of course, this assumption is wrong: the download area is not different
from the database, and whoever can hack one can easily hack the other.


More information about the Catalog-sig mailing list