Hi, I was wondering it there is any authenticity checking for the debian
package, because we signed the md5sum file with our gpg/pgp key, but how can
the user to make sure if these signs belogs to the valid package maintainer?
redhat packages are signed with the One Valid redhat key so I suggest to
sign somehow like that.
Eg. packages done, there is the md5 sum, maintainer signs that, and when the
package will be dinstalled, the Debian system signs it with the centralised
Or am I wrong and is there any other solution to check if the package is the
original one, and isn't it hacked?
Tamas SZERB <firstname.lastname@example.org>
GPG public key: http://alabama.rulez.org/~toma/gpgkey-toma.asc