Re: dpkg-sig support wanted?
>>>>> "Matthew" == Matthew Palmer <firstname.lastname@example.org> writes:
Matthew> I'm keenly interested in per-package signatures for
Matthew> Debian packages -- I think they're a great idea and it's
Matthew> a pity that they haven't received more interest.
I would really like to see all packages signed, not just the source
code and not just the archive (if any) they came from.
I see advantages:
* ability to check downloaded binary package even if it no longer
exists in latest archive.
* ability to trace the source of a binary package in a secure way,
whether it was built by a maintainer, automatically built by an
autobuilder (which one?), or built by some 3rd party.
yes - I realize some people consider automatic signing by an
autobuilder to be "insecure" - however I think it is more secure
then not having any signature - when deciding on how much you trust
it you need to take into account the source. Besides, I believe the
archive is already signed automatically anyway.
* this can occur without trying to look up the *.changes file
(assuming it still exists - for packages never uploaded to Debian,
* others I am too lazy to think of.
Matthew> I've never seen dpkg-sig mentioned before, only debsigs,
Matthew> so I'm not familiar with the tool itself, but the concept
Matthew> is one that needs a lot more exposure.
I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
Brian May <email@example.com>