[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig: sign binary debian archive files

The two methods are orthogonal, and serve different purposes, for
different audiences.

Signing in APT (signed Release files):
  -  Complete trust path in a "distribution" sense.  It signs packages
     as a group, so you -know- that a package:
       1. Belongs to a certain distribution (e.g. 3.1r2, or security)
       2. Has not been tampered with. 

Signing in dpkg (dpkg-sig):
  -  Trust path for a package only, so that you -know- that a package:
       1. Has gone through a certain way till it reached your hands
          (different signatures, e.g.: developer, katie, release?)
       2. Has not been tampered with.

dpkg-sig is _very_ interesting for those of us who want to know where
a package went, and when.  It is very difficult to track this only using
Release files, especially as the time passes.

OTOH, apt-secure allows one to know he is not being "mislead" at using an
untampered-with package with a known security bug instead of the fixed
version that should have been shipped to him.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: