[LBo] Mint Linux

Troy troythetechguy at gmail.com
Wed Aug 29 04:33:46 CEST 2007 

Jisao,

Thank you for your explanation.  I now believe I have an understanding of
signing, and will sleep better tonight!

On 8/28/07, Jisao <dimark at securenet.net> wrote:
>
> On Tue, 28 Aug 2007 11:34:04 -0500, Troy wrote
> > > Even when a repository sign their packages, you don't "need" to check
> the
> > > signature to see if the packages are "mint" (pardon the pun ;0D).
> > >
> > > So, the goal of signing is very different from the "signed by
> Micro$oft".
> >
> > Jisao,
> >
> > Thanks for your response.  If I understand  correctly, signing is a
> > way to ensure the package is authentic (has not been hacked).  By
> > using Mint Linux, who does not support signed packages in their
> > repository, am I at a greater risk for downloading and installing a
> > hacked package?
>
> I don't have an informed answer.  My guess would be that yes, there is a
> greater risk.  However, how much is "greater"?  Hard to quantify.  And
> more
> importantly, what would be the consequence for you to have a "damaged"
> system from an improper download/update?
>
> As a home user, it might be an acceptable risk.  It all depends. I
> personally don't verify the Debian packages I apt-get.
>
>
> > Even if a repository signs their packages, is there still the
> possibility
> > the package could have been hacked, or is signing a package a
> > guarantee the package is authentic?
>
> I don't know about 100% guarantee, but it is pretty difficult to hack a
> key.
> So I would say that it reduces the risk to a very acceptable level, even
> for
> a corporation.
>
> >
> > To help me put signing into terms I understand, is signing a package
> > similar to MD5 Sum?
>
> Not exactly. I am not an expert in signing, but I would say that MD5sum is
> adding up a list to a total and see if you come up with the same total
> doing
> the sum on what you have, whereas signing is like translating it to some
> garbled contents, which you have the special key to ungarble. As the
> garbling key is secret, the fact that you can ungarble it means you got
> the
> contents from the right sender, in this case the repository.
>
> I hope my explanation is clear.
> >
> > Learning something new everyday!
>
> :-)
> --
> QnA mailing list - To post: QnA at linuxbasics.org
> Site: http://LinuxBasics.org
> List-options: http://LinuxBasics.org/cgi-bin/mailman/listinfo/qna
>

More information about the QnA mailing list