On Tue, Jul 25, 2000 at 02:18:28PM +0200, Robert Bihlmeyer wrote:
Robert, all the messages I get from you on this list seem to come up
with BAD signature. Any idea what's up?
> Brian May <bam@debian.org> writes:
> > However, this also raises another issue I have been thinking of.
> > Suppose that I sign the source code of my random package (eg ssh with
> > Kerberos support compiled in), so it can be freely distributed in a
> > secure way. Then someone uploads the code (without my knowledge) to
> > one of the upload queues (I believe you can still do that
> > anonymously). Next thing, everyone is complaining to the ssh
> > maintainer that it wont install without Kerberos...
You need a signed .dsc and a signed .changes file for this to work. If
you make your distribution "personal" or similar rather than "unstable",
dinstall won't accept it. If you don't make a signed .changes file
publically available at all, they won't have anything to upload anywhere.
No new infrastructure required.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``We reject: kings, presidents, and voting.
We believe in: rough consensus and working code.''
-- Dave Clark
Attachment:
pgphGeBVl7rE0.pgp
Description: PGP signature