Re: web address in control file
On Wed, 4 Feb 1998, Christian Schwarz wrote:
> On Tue, 3 Feb 1998, James A.Treacy wrote:
> [snip]
> > > Comments?
> > >
> > It will be necessary for dpkg to still work properly if pgp isn't
> > installed as it is not required. In addition, since most non-developers
> > don't install pgp, only a small group of people will benefit from this.
>
> Is there some other crypto program we could use for this then? We probably
> don't need the full functionality of PGP--just a simple system with public
> and private keys for writing and checking digital signatures. (Ideally,
> such a package would not fall under the US restrictions so it could become
> part of "main".) Any ideas?
It might be enough if dselect & dpkg just issue a warning, like
Signatures could not be verified, since pgp is not installed.
If you trust the source of your packages (e.g. from official cd)
this is not a cause of worry.
It is not necessary that every user check autheticity but that
every user be able to do it. (Since when were the other security
checks/reviews done by every user?)
If this mechanism is in place then Origin: field would be used
correctly and fakes would be spotted fairly quickly. I think
it is enough.
t.aa
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: