[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Experimental gaim_1.1.1-2 for Alpha

Scripsit Steve Langasek <vorlon@debian.org>
> On Wed, Jan 05, 2005 at 11:47:57PM +0000, Henning Makholm wrote:

>> Does it also apply to signing .dsc's?

> The archive scripts won't act on an uploaded .dsc without an accompanying
> .changes file, so this is not an issue.  Moreover, signing your .dsc
> provides a trust path to your source code

I think that is what I meant: If I sign a .dsc that is not intended to
be uploaded, is there a risk that this trust path ends up in the
archive because somebody else constructs a .changes to put them in?
The "somebody else" would have to be a DD, but the signature the
general public [1] would see in aptable source repositories would be

Or do the archive scripts check that the key that signed the .dsc is
the same that signed the .changes accompanying them?

[1] People with suffientent knowledge would know to look up the
    .changes in the PTS or the mailing list archives, but it is not
    generally distributed afaiu.

Henning Makholm          "Ambiguous cases are defined as those for which the
                       compiler being used finds a legitimate interpretation
                   which is different from that which the user had in mind."

Reply to: