[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: web address in control file

On Wed, 4 Feb 1998, Christian Schwarz wrote:
> On Tue, 3 Feb 1998, James A.Treacy wrote:
> [snip]
> > > Comments?
> > > 
> > It will be necessary for dpkg to still work properly if pgp isn't
> > installed as it is not required. In addition, since most non-developers
> > don't install pgp, only a small group of people will benefit from this. 
> Is there some other crypto program we could use for this then? We probably
> don't need the full functionality of PGP--just a simple system with public
> and private keys for writing and checking digital signatures. (Ideally,
> such a package would not fall under the US restrictions so it could become
> part of "main".) Any ideas?

It might be enough if dselect & dpkg just issue a warning, like

 Signatures could not be verified, since pgp is not installed.
 If you trust the source of your packages (e.g. from official cd)
 this is not a cause of worry.

It is not necessary that every user check autheticity but that
every user be able to do it. (Since when were the other security
checks/reviews done by every user?)

If this mechanism is in place then Origin: field would be used
correctly and fakes would be spotted fairly quickly. I think
it is enough.


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: