packages authenticity

To: debian-devel@lists.debian.org
Subject: packages authenticity
From: Tamas SZERB <toma@rulez.org>
Date: Fri, 30 Mar 2001 14:56:53 +0200
Message-id: <20010330145653.B13330@toma@rulez.org>

Hi, I was wondering it there is any authenticity checking for the debian
package, because we signed the md5sum file with our gpg/pgp key, but how can
the user to make sure if these signs belogs to the valid package maintainer?

redhat packages are signed with the One Valid redhat key so I suggest to
sign somehow like that.

Eg. packages done, there is the md5 sum, maintainer signs that, and when the
package will be dinstalled, the Debian system signs it with the centralised
key.

Or am I wrong and is there any other solution to check if the package is the
original one, and isn't it hacked?

--
VWOL
Tamas SZERB <toma@rulez.org>
GPG public key: http://alabama.rulez.org/~toma/gpgkey-toma.asc

Reply to:

Follow-Ups:
- Re: packages authenticity
  - From: Guus Sliepen <guus@sliepen.warande.net>

Prev by Date: How do I get Japanese to print?
Next by Date: Re: IMAP sync
Previous by thread: Re: How do I get Japanese to print?
Next by thread: Re: packages authenticity
Index(es):
- Date
- Thread