On Thu, Jun 10, 1999 at 10:07:07AM +0300, Amos Shapira wrote: > > > It should be somehow possible to verify WHICH key should be verified, > > > and be able to obtain this in an independent way (i.e. if the package > > > is modified, and the key to be verified is directed to the cracker's > > > key then your verification wouldn't reveal this, would it?). > > > > If the package has to be signed by a key in the debian keyring, which itself > > must be signed by a single key, they can't do this. > > Sounds like the answer to my point. So what's preventing the addition > of this to dpkg? Manpower or crypto laws? dpkg has been essentially orphaned upstream, by any reasonable definition of orphaned. =p Waiting to hear more about this dpkg2 project still. -- Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer PGP: E8D68481E3A8BB77 8EE22996C9445FBE The Source Comes First! ------------------------------------------------------------------------- "slackware users don't matter. in my experience, slackware users are either clueless newbies who will have trouble even with tar, or they are rabid do-it-yourselfers who wouldn't install someone else's pre-compiled binary even if they were paid to do it."
Attachment:
pgpDSUjVTh9y8.pgp
Description: PGP signature