On Tue, Jul 25, 2000 at 02:18:28PM +0200, Robert Bihlmeyer wrote: Robert, all the messages I get from you on this list seem to come up with BAD signature. Any idea what's up? > Brian May <bam@debian.org> writes: > > However, this also raises another issue I have been thinking of. > > Suppose that I sign the source code of my random package (eg ssh with > > Kerberos support compiled in), so it can be freely distributed in a > > secure way. Then someone uploads the code (without my knowledge) to > > one of the upload queues (I believe you can still do that > > anonymously). Next thing, everyone is complaining to the ssh > > maintainer that it wont install without Kerberos... You need a signed .dsc and a signed .changes file for this to work. If you make your distribution "personal" or similar rather than "unstable", dinstall won't accept it. If you don't make a signed .changes file publically available at all, they won't have anything to upload anywhere. No new infrastructure required. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``We reject: kings, presidents, and voting. We believe in: rough consensus and working code.'' -- Dave Clark
Attachment:
pgphGeBVl7rE0.pgp
Description: PGP signature