[Erinn Clark] > Yet just today you filed a bug (#340403) for documentation to be > included in the package since you were unable to explain dpkg-sig's > strengths. How is it possible for you to claim something is more secure > when you don't understand it well enough to say how it's different? That's unfair and you know it. It seems he *did* educate himself about dpkg-sig: "I had to look for a while to find the dpkg-sig FAQ on the web page." It is perfectly reasonable to want users to have easy access to this information, given the rather confusing array of signature-related packages and options in Debian packaging. Not knowing the relative advantages of dpkg-sig versus debsigs is hardly the same thing as being unqualified to speak about the reasons (or lack thereof) to support signed .debs. And, from what I understand, the dak change which proved so contentious broke both equally. (Whether Andreas's script counted packages signed with debsigs as well as those signed with dpkg-sig, I don't know, as I don't have access to it.) I do think a feature comparison and compatibility matrix would be useful to have, between dpkg-buildpackage/debsign (for signing .changes and .dsc files), debsigs (for signing .deb files), dpkg-sig (for signing and verifying .deb files) and debsig-verify (for verifying .deb files).
Attachment:
signature.asc
Description: Digital signature