[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

On Jun 18, Gunnar.Isaksson@saab.se wrote:
> For this to be useful for an enduser like me an official
> debian PGP signature could be added to every source and
> binary package. I would then only have to make a signature
> check against the official signature to prove that I am
> dealing with an authentic package.
> This official 'branding' could be done when moving packages
> from incoming into the debian ftp tree.

I think when the issue has come up in the past, it's been a problem
with there being a single point of failure in the system (the "one,
true, Debian key").  Just because nobody's hacked RH's system to get
the key doesn't mean it won't happen...

OTOH, I can see a pgp/gnupg signature made, at the time of upload, by
developers; then you can decide which developers you trust (hopefully
all of us, but it's more fine-grained from your POV).  I believe this
was recently discussed here (or maybe on policy)...

|          Chris Lawrence         |           Visit my home page!           |
|     <quango@watervalley.net>    |     http://www.lordsutch.com/chris/     |
|                                 |                                         |
|     Grad Student, Pol. Sci.     |      Visit the Amiga Web Directory      |
|    University of Mississippi    |     http://www.cucug.org/amiga.html     |

Reply to: