On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote: > * Marc Brockschmidt: > > Today (or last night, whatever), the dak installation on ftp-master was > > changed to not accept packages that include more than 3 parts, which are > > usually the binary version and the compressed control and data > > tarballs. This means that signed binary packages are rejected. > This is a pity. I think dpkg-sig is an important step into the right > direction: providing more assurances about package integrity to our > users. Personally, I think it's cryptographic snake oil, at least in so far as it relates to Debian. I remain interested in seeing any realistic demonstration of how a Debian user could reasonably rely on them for any practical assurance. > since May 31. The diff at > <http://cvs.debian.org/dak/jennifer?root=dak&r1=1.56&r2=1.57> shows > that the additional check was *removed*, not *added* more than a week > ago. Yes; CVS was corrupted in May and hadn't been updated 'til the other week. http://azure.humbug.org.au/~aj/blog/2005/11/16#2005-11-16-dak > Since there is no way for Debian Developers to review the way Debian > packages are created (and it's totally out of question for end users), buildd.debian.org gives full logs, to developers or users. > something that provides DD-to-user package signatures at least in some > cases is very desirable indeed. debian-devel-changes provides this. Cheers, aj
Attachment:
signature.asc
Description: Digital signature