[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

On Tue, Nov 12, 2002 at 02:45:20PM -0600, Manoj Srivastava wrote:
> >>"Anthony" == Anthony Towns <aj@azure.humbug.org.au> writes:
> 	It does not help with packages that are not on the official
>  repository, are locally created, come from partial mirrors or
>  personal cd sets.

It's fine for partial mirrors and personal CD sets: you need a Packages
file for both of those, and if you're using the Debian one you can use
the Debian Release{,.gpg}, if you're not, you need to set up your own
trust path.

For non-Debian stuff, like people.debian.org repositories, stuff that
third parties distribute, whatever, debsigs are an entirely useful tool.
But afaics, you can already do that if you like, and that's not an
argument for including them in the archive.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Attachment: pgpfiem0ZGHYc.pgp
Description: PGP signature

Reply to: