From: Vincent Danen (vdanenmandrakesoft.com)
Date: Wed Nov 19 2003 - 20:20:41 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 19, 2003, at 17:22, Dick Gevers wrote:

>> There is really no need.
>>
>> Every package is GPG-signed with the securitylinux-mandrake.com key.
>> Every directory has a md5sums file that is likewise signed by that
>> same
>> key. So you can check the md5sum file and the rpm itself for
>> validity.
>>
>> I'd say that is a lot more secure than throwing an advisory file on
>> there.
>
> I`m under the impression that Jason was suggesting it more as a tool
> for
> anyone wandering in and noting `hey this is new, what`s the cause, I`m
> wondering what`s up with my current package....` and (s)he could
> instantly
> refer to the detached advisory in the same spot.

No.

Sorry, I understand you're reasoning but it's just too much to
maintain. Advisories go in plenty of places as it is... I don't think
on the mirrors is an appropriate place.

You must understand that not everyone can be pleased all the time, and
I could make the advisories available a million different ways and in a
dozen different places and someone will still have a problem with it.

If you really need to know what the package fixes, do a "rpm -qp
package.rpm --changelog" and read the changelog. That's the best I can
do for you.

---
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vCT5IEPQ5f5vKv0RAujFAJ9DoD6tbFchiMqlew/n09yXOgQlQQCghvR1
9OSL8hPBDZzDOs3ZyQFcYKQ=
=r8fi
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]