Brian May <bam@debian.org> writes: > However, this also raises another issue I have been thinking of. > Suppose that I sign the source code of my random package (eg ssh with > Kerberos support compiled in), so it can be freely distributed in a > secure way. Then someone uploads the code (without my knowledge) to > one of the upload queues (I believe you can still do that > anonymously). Next thing, everyone is complaining to the ssh > maintainer that it wont install without Kerberos... >From the ftp-server side this looks exactly like you NMUing the package, doesn't it? I think the solution is to use another key (that is not in the debian-keyring) to sign stuff that should stay inofficial. -- Robbe
Attachment:
signature.ng
Description: PGP signature