[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt 0.6 in experimental

On Monday 29 December 2003 00:52, Matt Zimmerman wrote:
> On Mon, Dec 29, 2003 at 12:11:32AM +0200, George Danchev wrote:
> > 	Ok, one more thing. It would be nice if by downloading with apt-get
> > source, dpkg-source (or apt-get itself) processes the *.dsc file and
> > checks if the signature is good ad if so if the sums match. Also in sace
> > of mismatch apt-key to suggest upgrade or rsync debian-keyring.
> apt 0.6 will provide similar prompting for "apt-get source" as "apt-get
> install".  apt will not attempt to interpret the .dsc file; that is
> dpkg-source's job.  dpkg-source already verifies the checksums, and
> dscverify is available to check the signature.

Thanks for the clarification. I hope Javier won't miss this and will add it to 
the 'securing-debian-howto' about how to verify debian's source packages.
My suggestion and personal point of view is that dscverify utility must be 
included in dpkg src tree (and not in devscripts's one) ... also there should 
be an option srcsigs/no-srcsigs for /etc/dpkg/dpkg.cfg to control weather 
dpkg-source to call dscverify or not ... similar to  no-debsigs option for 

One could really lost himself within the cosmopolitic world of debian.

pub  4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB 

Reply to: