[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
> A signature in the deb by a random developer is as trustworthy as the
> changes file and you already trust that. So we are going from snakeoil
> to snakoil. No harm done.

It's not the same, actually.  A signature in a .deb needs to be made by a
key which is still trustworthy at the time of verification, which could be
quite some time in the future.  The key which makes a .changes signature, in
contrast, only *needs* to be valid at the time the upload is made -- if it
is later compromised, it's not important, because by that time the archive
signing key hsa taken over the role of integrity verification.

Of course, using the signature on the .changes to verify the .debs
independent from the archive at some later date is a nice side-benefit, but
one which suffers from the same key-lifetime issues as in-deb signatures,
and since the .changes from autobuilt uploads aren't publically available
(apparently d-d-$arch-changes isn't archived, from info previously posted in
this thread) that method of package authentication isn't going to be 100%
reliable anyway.

- Matt

Attachment: signature.asc
Description: Digital signature

Reply to: