Re: Official Debian digital 'branding' of debs
On Jun 18, Gunnar.Isaksson@saab.se wrote:
> For this to be useful for an enduser like me an official
> debian PGP signature could be added to every source and
> binary package. I would then only have to make a signature
> check against the official signature to prove that I am
> dealing with an authentic package.
> This official 'branding' could be done when moving packages
> from incoming into the debian ftp tree.
I think when the issue has come up in the past, it's been a problem
with there being a single point of failure in the system (the "one,
true, Debian key"). Just because nobody's hacked RH's system to get
the key doesn't mean it won't happen...
OTOH, I can see a pgp/gnupg signature made, at the time of upload, by
developers; then you can decide which developers you trust (hopefully
all of us, but it's more fine-grained from your POV). I believe this
was recently discussed here (or maybe on policy)...
| Chris Lawrence | Visit my home page! |
| <firstname.lastname@example.org> | http://www.lordsutch.com/chris/ |
| | |
| Grad Student, Pol. Sci. | Visit the Amiga Web Directory |
| University of Mississippi | http://www.cucug.org/amiga.html |