Anthony Towns <aj@azure.humbug.org.au> writes: > .deb signatures are aimed at giving users some sort of assurance the > package is "valid"; but when you actually look into it -- at least in > Debian's circumstances -- those signatures can't actually give any > meaningful assurance for any specific validity. Don't they give the user the assurance that a Debian developer was responsible for building and providing the package?