[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Official Debian digital 'branding' of debs

Dear Sirs,

I have noticed that debian sources are PGP signed by their
package maintainers but the debian binaries are not signed.

Since I work in a very security aware environment I would
like every debian binary to also be PGP signed.

For this to be useful for an enduser like me an official
debian PGP signature could be added to every source and
binary package. I would then only have to make a signature
check against the official signature to prove that I am
dealing with an authentic package.

This official 'branding' could be done when moving packages
from incoming into the debian ftp tree.

Sorry if I sound paranoid but RedHat has their packages
PGP signed and it's a piece of cake to find out if I have
an official rpm or not. People at my work are seriously
considering RedHat instead of Debian just for this reason
even if they prefer the Debian Quality of software.

//Gunnar Isaksson

Reply to: