Re: web address in control file
> Of course, that new control field would only make sense if the control
> files are digitally signed (e.g., with PGP) to make sure all `Origin: SPI'
> packages really come from SPI.
> Ideally, the .deb would contain a new entry in the `ar' archive (besides
> control.tar.gz and data.tar.gz), perhaps called `signature', that contains
> the PGP signature. Each installation would then have a /etc/deb-keyring
> PGP public keyring which contains `trusted' signatures--from the users
> point of view.
> By default, that file would contain the SPI signature(s) only (the user
> already trusted us by installing our distribution :-), but easily be
> extent to include signatures from other sources as well. At installation
> time, dpkg will then check the PGP sigs on the packages against the keys
> in this key ring and report missing or un-checkable signatures as
> `warning', but abort if the signature is bad.
> This procedure would require some automated way of digitally signing
> packages that have been uploaded to master with the "SPI" key--but I'm
> sure we find a practical and secure solution for that. (Perhaps, we should
> only sign the packages at release time?)
It will be necessary for dpkg to still work properly if pgp isn't installed
as it is not required. In addition, since most non-developers don't install pgp,
only a small group of people will benefit from this.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to firstname.lastname@example.org .