Re: dpkg-sig support wanted?

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Thu, 24 Nov 2005, Anthony Towns wrote:
> Personally, I think it's cryptographic snake oil, at least in so far

A signed deb has a seal of procedence and allows one to track the path it
made through the system, and who changed it.  It ties a non-trustable
timestamp to every singed step in that path, but that has limited use.
It allows one to verify against tampering of the data along that path.

It does no more.  Nobody who really knows what he's talking about claimed
that it did.

I do claim that a criptographic seal of procedence and non-tampering IS
valuable information, and also that dpkg-sig delivers that information in a
much more usable and universal way than anything else we have currently.

> > something that provides DD-to-user package signatures at least in some
> > cases is very desirable indeed.
> 
> debian-devel-changes provides this.

Not in a very useable form, and only for Debian packages uploaded to the
official Debian archive.  This is hardly good enough.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh