Fabrizio Polacco <fpolacco@icenet.fi> writes: > Very nice, but it check file integrity _after_ installation. > What I was thinking was a system to check the _origin_ of each package, > to be attached to each .deb I believe that is what Klee has in mind for the dpkgcert stuff - eventually it will become a part of dpkg. > As default we should have two keys: debian.org and non-us.debian.org I don't think that is really necessary if we have the packages signed by the maintainers, and distribute a maintainer key ring. Plus, if we do it that way, it is much easier to take a maintainers packages out of circulation if he/she violates our trust - just remove their key from the keyring. Cheers, - Jim
Attachment:
pgpTXZInc4TRn.pgp
Description: PGP signature