[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Experimental gaim_1.1.1-2 for Alpha

On Thu, Jan 06, 2005 at 12:55:14PM +0000, Henning Makholm wrote:
> Scripsit Steve Langasek <vorlon@debian.org>
> > On Wed, Jan 05, 2005 at 11:47:57PM +0000, Henning Makholm wrote:

> >> Does it also apply to signing .dsc's?

> > The archive scripts won't act on an uploaded .dsc without an accompanying
> > .changes file, so this is not an issue.  Moreover, signing your .dsc
> > provides a trust path to your source code

> I think that is what I meant: If I sign a .dsc that is not intended to
> be uploaded, is there a risk that this trust path ends up in the
> archive because somebody else constructs a .changes to put them in?
> The "somebody else" would have to be a DD, but the signature the
> general public [1] would see in aptable source repositories would be
> mine.

I believe katie does check the sigs on .dscs, which requires that the sig be
from a DD.  Even if there were a bug in this check, I wouldn't worry overly
much, *you* wouldn't be the one in trouble for uploading a package in that
state ;P

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: