[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote:
> Anthony Towns <aj@azure.humbug.org.au> writes:
> > .deb signatures are aimed at giving users some sort of assurance the
> > package is "valid"; but when you actually look into it -- at least in
> > Debian's circumstances -- those signatures can't actually give any
> > meaningful assurance for any specific validity.
> Don't they give the user the assurance that a Debian developer was
> responsible for building and providing the package?

Not really, they give the assurance that it was built by someone who at
some point possessed a key that at some point was considered sufficient
to identify a Debian developer or a buildd.

What assurance would you take from a package signed by Chip's old key?

(And why do you think it's actually helpful? Debian developers build
*lots* of crap, especially if you can't differentiate stuff uploaded to
Debian and not)


Attachment: signature.asc
Description: Digital signature

Reply to: