On Thu, Jan 06, 2005 at 12:55:14PM +0000, Henning Makholm wrote: > Scripsit Steve Langasek <vorlon@debian.org> > > On Wed, Jan 05, 2005 at 11:47:57PM +0000, Henning Makholm wrote: > >> Does it also apply to signing .dsc's? > > The archive scripts won't act on an uploaded .dsc without an accompanying > > .changes file, so this is not an issue. Moreover, signing your .dsc > > provides a trust path to your source code > I think that is what I meant: If I sign a .dsc that is not intended to > be uploaded, is there a risk that this trust path ends up in the > archive because somebody else constructs a .changes to put them in? > The "somebody else" would have to be a DD, but the signature the > general public [1] would see in aptable source repositories would be > mine. I believe katie does check the sigs on .dscs, which requires that the sig be from a DD. Even if there were a bug in this check, I wouldn't worry overly much, *you* wouldn't be the one in trouble for uploading a package in that state ;P -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature