[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: web address in control file

> Of course, that new control field would only make sense if the control
> files are digitally signed (e.g., with PGP) to make sure all `Origin: SPI'
> packages really come from SPI. 
> Ideally, the .deb would contain a new entry in the `ar' archive (besides
> control.tar.gz and data.tar.gz), perhaps called `signature', that contains
> the PGP signature. Each installation would then have a /etc/deb-keyring
> PGP public keyring which contains `trusted' signatures--from the users
> point of view. 
> By default, that file would contain the SPI signature(s) only (the user
> already trusted us by installing our distribution :-), but easily be
> extent to include signatures from other sources as well. At installation
> time, dpkg will then check the PGP sigs on the packages against the keys
> in this key ring and report missing or un-checkable signatures as
> `warning', but abort if the signature is bad. 
> This procedure would require some automated way of digitally signing
> packages that have been uploaded to master with the "SPI" key--but I'm
> sure we find a practical and secure solution for that. (Perhaps, we should
> only sign the packages at release time?)
> Comments?
It will be necessary for dpkg to still work properly if pgp isn't installed
as it is not required. In addition, since most non-developers don't install pgp,
only a small group of people will benefit from this.

- Jay

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: