Re: [RFH] The need for signed packages and signed Releases (long, long)
Anthony Towns <aj@azure.humbug.org.au> writes:
> I'm not sure why people seem to think the story begins and ends at what I
> prefer. It doesn't. (1) is effective and feasible with Debian, (2) is not.
(2) would provide some degree of developer-to-user assurance (unless
autobuilders are involved). (1) does not.
> Knowing the .deb is from some particular developer doesn't buy you
> much.
(1) and (2) solve different problems. Of course, a developer's
signature (2) does not convey the same clear message which a release
signature (1) provides. I can see that it is tempting to dismiss (2)
as unusable, but I think the fuzziness is less problematic. After
all, Debian already heavily relies on very, very fuzzy signatures.
Furthermore, (2) offers some recourse in case of a significant Debian
security breach (which will happen some day). (1) only takes care of
the branding/shipping problem.
> Even if you know with absolute _certainty_ that I, personally, built
> the .deb you're installing, this doesn't tell you all that much --
It could come in handy for installing security updates. Or is the
current convoluted procedure just a side effect of the total lack of a
secure shipping channel when using apt?
Reply to: