Charlie Brady wrote: > It's not obvious to me what the attack vector would be with unsigned > debuginfo packages... 1. Get people to download packages from you instead of the real debuginfo.centos.org by a MITM attack, DNS poisoning or whatever. 2. Send modified malicious packages instead of the real ones. Debuginfo packages are (AFAIK) ordinary RPM packages so they can contain evil binaries, install a rootkit in their post-install script or something like that. /Pär