Re: Signing Packages.gz
On Sun, Apr 02, 2000 at 08:11:15PM +0200, Torsten Landschoff wrote:
> We might want to revoke the old key. If James leaves we can't revoke his key
> because it is HIS key. We can however revoke the dinstall key because it
> is by definition Debian's key. But this is nitpicking.
Who is Debian? Where is the safe where the secret key will be stored
(as the keys from Microsoft are)? Who will be responsible for all this, and
what makes you belief that those will be more careful about the key
The central authority doesn't mix extremely well with the distributed
organization Debian is.
Note that a signed Packages file works extremely well for a single cooperation
who produces a Debian based distribution, or an individual.
People keep forgetting about Debians nature, and this keeps bothering me.
> You have started the child game. We want to make a simple change to apt as
> dinstall and you keep telling us that it won't make things better. Now you
> said that making things better but not perfect is not the Debian way of
> doing things.
Yes. Because the Debian installation tool is dpkg, and not apt.
This is the second main point that I disagree with (aside of the security
discussion, which is complicated and by now covered well). A solution
for Debian should serve all people, those who use apt, those who use dpkg
and downloaded files, those who use other methods (dselect etc).