Re: Cryptic messages from installers

To: Santiago Vila <sanvila@unex.es>
Cc: <debian-devel@lists.debian.org>
Subject: Re: Cryptic messages from installers
From: Adam Heath <doogie@debian.org>
Date: Thu, 19 Apr 2001 14:14:18 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.33.0104191412540.23110-100000@localhost>
In-reply-to: <[🔎] Pine.LNX.4.33.0104191647001.5638-100000@home.unex.es>

On Thu, 19 Apr 2001, Santiago Vila wrote:

> "A gpg signature is a random thing" --Debian gnupg maintainer.
>
> Great quote! :-)
>
> You must be joking. A gpg signature represents the person responsible
> for a given upload. You can make a mistake if you forgot to pass -m to
> buildpackage, but you can't gpg-sign with the private key of another
> developer. If there is something "random" here is the Maintainer
> field, not the gpg signature.

Yes, it represents the person.  But there can be multiple addresses on a key,
and, afaik, there is no way to tell by the signature alone which key is
responsbile for the data.

So that's why you use the maintainer field.

Think about signed email.  You compare the From: field, with the list of
knowning addresses for a key, and compare that to the sig.  This is the same
thing.

Reply to:

Follow-Ups:
- Re: Cryptic messages from installers
  - From: Santiago Vila <sanvila@unex.es>

References:
- Re: Cryptic messages from installers
  - From: Santiago Vila <sanvila@unex.es>

Prev by Date: Re: [efraim@sonic.de: Re: Strangeness with console-tools]
Next by Date: simple proposal to illustrate (was: Re: Sources vs Packages files
Previous by thread: Re: Cryptic messages from installers
Next by thread: Re: Cryptic messages from installers
Index(es):
- Date
- Thread