Hi, I deffinately feel that there should be some form of PGp verification available for .debs and not only .dsc and .changes files. The fact that it isn't convenient for developer's and autobuild scripts isn't very relevant to the Debian end-user. I do not think however it is enough to arbitrarily include a signed md5sums file in /usr/doc/package. If a user has pgp2, pgp5, or gpg apt should be able to automaticly verify a package before it is installed. On Sun, Jun 20, 1999 at 11:37:21AM -0500, Manoj Srivastava wrote: > > Having a single key does indeed create a single point of > failure, but this is a known fact, and we can expend significant > effort to maintain the integrity of the single key (never put on a > networked computer, only used for signing the debian keyring, etc). This single point of failure would be more appairent to Debian than to RedHat however. Since Debian is a distribution put together by volunteers, developers, project leaders, and conceivably key maintainers can come and go on a regular basis. A leak would be extremely possible imho. -- Shane Wegner: shane@cm.nu Sysadmin, Continuum Systems: http://www.cm.nu Tel: (604) 930-0520 Personal website: http://www.cm.nu/~shane Fax: (604) 930-0529 PGP: keyid: 2048/F5C2BD91 ICQ UIN: 120000 Fingerprint: 8C 48 B9 D8 53 BB D8 EF 76 BB DB A2 1C 0D 1D 87
Attachment:
pgpXt7fqqkS8b.pgp
Description: PGP signature