Re: dpkg-sig support wanted?
Olaf van der Spek <firstname.lastname@example.org> writes:
> On 11/25/05, Matthew Palmer <email@example.com> wrote:
>> Of course, using the signature on the .changes to verify the .debs
>> independent from the archive at some later date is a nice side-benefit, but
>> one which suffers from the same key-lifetime issues as in-deb signatures,
> What exactly is this key lifetime issue?
> Is it a cryptographic issue?
A key can expire, get stolen / lost or get compromised and
revoced. Once that happens you can't trust any signature made by that
Although one can probably argue that an expired key still has enough
trust to verify old debs. Many people don't set an expiry date anyway.
While this sounds like a big problem lets have some numbers:
Shortly before the sarge release we imported all source packages into
the debian-amd64 DAK and actualy did have the problem with dsc file
signatures. But that was a problem of maybe 20 packages (out of
Overall a miniscule problem. If I can verify all but 20 packages that
realy is a great bonus.