Re: [RFH] The need for signed packages and signed Releases (long, long)

[Robert Lemmen <robertle@semistable.com>]

i think that it is very important that signed packages/releases are not
only possible by the means of an optional package, but a standard and
done by default. you smoetimes have to force people into their luck.

i also think that a way to sign packages *and* a way to sign releases is
necessary (which means apt *and* dpkg hav to support it), because there
are other ways to get .debs than apt-getting them, and the signing of
the package alone is not enough because someone might for example poison
your nameserver and hand you an outdated package with known security
flaws.

i also think that when signing releases it is important to timestamp
them and touch-resign them in fixed intervals, so you can be sure that
you are not getting a stale release file.

i have the impression that a lot of people don't realise how important
this is. don't you get shivers everytime you do an apt-get upgrade and
your computer happily downloads tons of software from various mirrors
and installs them? i do.

if anyone picks this up i will be happy to do every work i am capable
of.

cu  robert