Re: Package signatures tools
On Fri, Jul 11, 2003 at 05:47:10PM +0200, J?rgen A.Erhard wrote:
> I'm releasing these things now... have them in development and use for
> a couple weeks/months now.
> A Python module for doing debsigs-type package signatures and
> verification thereof. Uses and included module for GnuPG file
> signatures and verification.
Also, I think using any scripted tool to do the verification is asking
for security holes. It pulls in too many variables on which verification
needs to depend. The debsigs-verify tool does the verification and xml
parsing all in one C program.
What did you find wrong with the current tools already available and
documented? The only thing they need is policy to get them going. Dpkg
can already call debsig-verify to validate a package. It just needs to
be turned on.
Debian - http://www.debian.org/
Linux 1394 - http://www.linux1394.org/
Subversion - http://subversion.tigris.org/
Deqo - http://www.deqo.com/