Package verification
I'm working(among other things) on a way download packages(binary or source)
from a P2P network such as giFT openft. This isn't a good idea if you can't
verify that the package you are getting was actually created by the
maintainer of the package, or someone authorised to do NMUs. Is there
currently a good way to do it, and when will it be used? I was told by
someone that debsign-verify isn't a good thing. I'm not convinced the md5sums
are good enough. Thanks,
David
Reply to: