Re: web address in control file
> Of course, that new control field would only make sense if the control
> files are digitally signed (e.g., with PGP) to make sure all `Origin: SPI'
> packages really come from SPI.
>
> Ideally, the .deb would contain a new entry in the `ar' archive (besides
> control.tar.gz and data.tar.gz), perhaps called `signature', that contains
> the PGP signature. Each installation would then have a /etc/deb-keyring
> PGP public keyring which contains `trusted' signatures--from the users
> point of view.
>
> By default, that file would contain the SPI signature(s) only (the user
> already trusted us by installing our distribution :-), but easily be
> extent to include signatures from other sources as well. At installation
> time, dpkg will then check the PGP sigs on the packages against the keys
> in this key ring and report missing or un-checkable signatures as
> `warning', but abort if the signature is bad.
>
> This procedure would require some automated way of digitally signing
> packages that have been uploaded to master with the "SPI" key--but I'm
> sure we find a practical and secure solution for that. (Perhaps, we should
> only sign the packages at release time?)
>
> Comments?
>
It will be necessary for dpkg to still work properly if pgp isn't installed
as it is not required. In addition, since most non-developers don't install pgp,
only a small group of people will benefit from this.
- Jay
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: