Re: bsign-0.1.7, won't sign ssh and others
On Mon, Dec 14, 1998 at 03:18:41PM -0500, Ben Collins wrote:
> Debs have md5sums in the .dsc which is in turn signed. I was interested in
> the actual file being signed internally some how to verify the
> maintainer's sig and that it is uncorrupt.
Let me get this clear: by signing only dsc files the only guarantee we
can make is that the package uploaded to master came from the claimed
author. Hmm. Are you sure? When I create my packages, I sign twice.
I thought this was once for the dsc and once for the deb.