AW: AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

NdK ndk.clanbo at
Fri May 18 12:48:42 CEST 2018

Il 18/05/2018 07:31, Fiedler Roman ha scritto:

> I thought about that also, but shouldn't 99%+ of systems perform no pinning whatsoever of packages to repositories? In that case, the "wrong" repository could publish just a slightly increased package version number of a package from another repository. Unattended updates will apply it anyway and also for users it would be hard noticing it: at least my "apt-get" version does not show any information about the repository a package would be downloaded from before confirming the installation. Thus the user would have to check each single package manually by invoking "apt-cache policy [pkg-name]" or use "apt-get download [packagelist]", check the logs and install packages with "dpkg".
Well, assume that who can publish to a repo you trust *is root* on your
machine. Even if you could pin the package, what prevents him from
adding a suid exe ?

> Unless my system is misconfigured or other assumptions do not hold true, that would imply, that the only security benefit from key pinning is only about maintenance, making detection/pruning of stale keys easier.
That's exactly what ther're for.


More information about the Gnupg-users mailing list