[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Package verification

I'm working(among other things) on a way download packages(binary or source) 
from a P2P network such as giFT openft. This isn't a good idea if you can't 
verify that the package you are getting was actually created by the 
maintainer of the package, or someone authorised to do NMUs. Is there 
currently a good way to do it, and when will it be used? I was told by 
someone that debsign-verify isn't a good thing. I'm not convinced the md5sums 
are good enough. Thanks,


Reply to: