[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

On Wed, Nov 13, 2002 at 08:42:05PM +0700, Robert Lemmen wrote:
> i think that [...]
> i also think [...]

Ah, opinions, aren't they great?

> i also think that when signing releases it is important to timestamp
> them and touch-resign them in fixed intervals, so you can be sure that
> you are not getting a stale release file.

While doing all this copious thinking, you might like to do something like

$ lynx -dump http://ftp.debian.org/dists/sid/Release | grep Date:
Date: Tue, 12 Nov 2002 20:38:39 UTC

just to see if your thoughts are actually anything new.

> i have the impression that a lot of people don't realise how important
> this is. don't you get shivers everytime you do an apt-get upgrade and

No, I don't, since I've trained myself to type `apt-check-sigs' after
ever `apt-get update'. (And the only debs I install through anything
other than apt are ones I've made myself these days)


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Reply to: