Re: [RFH] The need for signed packages and signed Releases (long, long)
On Wed, Nov 13, 2002 at 08:42:05PM +0700, Robert Lemmen wrote:
> i think that [...]
> i also think [...]
Ah, opinions, aren't they great?
> i also think that when signing releases it is important to timestamp
> them and touch-resign them in fixed intervals, so you can be sure that
> you are not getting a stale release file.
While doing all this copious thinking, you might like to do something like
$ lynx -dump http://ftp.debian.org/dists/sid/Release | grep Date:
Date: Tue, 12 Nov 2002 20:38:39 UTC
just to see if your thoughts are actually anything new.
> i have the impression that a lot of people don't realise how important
> this is. don't you get shivers everytime you do an apt-get upgrade and
No, I don't, since I've trained myself to type `apt-check-sigs' after
ever `apt-get update'. (And the only debs I install through anything
other than apt are ones I've made myself these days)
Anthony Towns <firstname.lastname@example.org> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``If you don't do it now, you'll be one year older when you do.''