On Mon, Feb 11, 2008 at 01:03:18PM +0100, Frank Lichtenheld wrote:
> > > > > The whole thing honestly doesn't do much for security anyway until the gpg
> > > > > support of dpkg-source is largely improved. For that I have no real concept
> > > > > yet, though.
> > > > Well, apt verifies them when it downloads the source before passing
> > > > it to dpkg to unpack; and there's also verification when entering the
> > > That would be news to me. And I can't seem to find that in the code,
> > > either.
> > $ apt-get source dpkg
> > Failed to fetch http://blah/debian/pool/main/d/dpkg/dpkg_1.13.25.dsc MD5Sum mismatch
> I was talking about the GPG signature of the .dsc
Ah, right. No, that's not done; the chain of trust is:
dak: .changes -> .dsc/etc (maintainer gpg, md5)
apt: Release -> Sources -> .dsc/etc (archive gpg, sha1/sha256, md5)
Switching the .changes/.dsc/Sources checksum from md5 to sha1/sha256
still gets you the same benefit though.
Cheers,
aj
Attachment:
signature.asc
Description: Digital signature