PM Mail/2 under a Novel/Pegasus system

Steve Wendt pmmail@rpglink.com
Sat, 20 May 2000 15:30:15 -0700 (PDT)


On Sat, 20 May 2000 14:18:23 -0700, Steve Lamb wrote:

>> Then, who knows how many security holes your system has.
>
>    They'd also have to break PGP in the process since all packages are signed
>with the maintainer's key.  :)

Maybe I don't have a full understanding of the process, but couldn't someone 
just make up a new key, create a malicious package with the same name, and 
sign it with the new key?  Or does the update compare against the signature 
of the previous package installed?  It seems to me this has been done before, 
although maybe not on Debian.


-----------
"Good people do not need laws to tell them to act responsibly,
while bad people will find a way around the laws."
     - Plato (427-347 B.C.)