[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>>>>> "Nicolás" == Nicolás Lichtmaier <nick@debian.org> writes:

    Nicolás>  So, my point hasn't been refuted. There's no reason we
    Nicolás> shouldn't start using package signatures now, with
    Nicolás> automatic signing by dinstall.

Will dinstall sign any package that has already has a valid signature,
in the *.changes and *.dsc file?

If so, how can you be sure that my key in the debian public key ring
really is my key?

(not trying to argue your point, just pointing out that weaknesses
still do exist).

Suggestion: have up to two signatures per package, one from the
uploader[1] (which can be verified by the paranoid who have some chain of
trust already established), and one from dinstall.

Comments?

Note:
[1] by this I mean the same person who signs the *.dsc and/or *.changes file.
I think this applies even to the autobuilders.
-- 
Brian May <bam@debian.org>
Reply to: