[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

Anthony Towns <aj@azure.humbug.org.au> writes:

> On Thu, Nov 24, 2005 at 06:28:04PM +0100, Florian Weimer wrote:
> If you just want to check hashes, you should just use changes files. If
> you _actually_ want to check hashes, and this isn't just a thought
> experiment, working out a usable way to deliver .changes for whatever
> purpose you've got in mind would be a good idea. (Again though, I don't
> see a point to them, beyond reverification of the archive in the event
> of an exploit. Of course, maybe that's what you want to do...)

We have a perfectly useable and trivial way to deliver the hashes,
which is the intresting part of the changes file for security. It is
the signature in the deb.

For comparison: Why do we have a signature in dsc files? From your
arguments that signature is completly useless since changes files
already provide all that is needed.

We still sign dsc files because it is just that much easier to apt-get
source foo and verify it. And that is a good thing. Why are you so set
in stone against allowing the same for debs?


Reply to: