Re: signed packages/releases

To: Robert Lemmen <robertle@semistable.com>
Cc: debian-devel@lists.debian.org
Subject: Re: signed packages/releases
From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
Date: 26 Jul 2002 12:16:44 +0200
Message-id: <[🔎] 87n0sepzeb.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20020725160622.GA2796@semistable.com>
References: <[🔎] 20020725160622.GA2796@semistable.com>

Robert Lemmen <robertle@semistable.com> writes:

> hi folks,
> 
> can anyone tell me what the status of the package/release
> signing/verifying is? is anyone (who?) working on it?
> 
> i am extremly interested in this feature and would like to help as much
> as i can ...
> 
> regards
> robert

Release files are signed in Release.gpg. The Release files contain
md5sum and sizes of the Packages and Sources files and they are
verified through that. The Packages and Sources files contain md5sum
and size of the debs and sources and they are in turn verified.

What needs to be done is to check the Release files signature against
the Release file. Don't think thats done automatically yet.

Apart from that mechanism uploads from maintainers are signed in the
changes files, but that information is lost during installation in the
ftp archive.

Uploads from buildd's, which is the majority of uploads, cannot be
signed safely. It would be too easy to steal the buildds gpg key and
fake signed packages.

MfG
        Goswin

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- signed packages/releases
  - From: Robert Lemmen <robertle@semistable.com>

Prev by Date: Re: Some important packages have been orphaned
Next by Date: Re: pam_console for debian
Previous by thread: Re: signed packages/releases
Next by thread: Some important packages have been orphaned
Index(es):
- Date
- Thread