Re: dpkg-sig support wanted?
Anthony Towns <email@example.com> writes:
> On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote:
>> Anthony Towns <firstname.lastname@example.org> writes:
>> > .deb signatures are aimed at giving users some sort of assurance the
>> > package is "valid"; but when you actually look into it -- at least in
>> > Debian's circumstances -- those signatures can't actually give any
>> > meaningful assurance for any specific validity.
>> Don't they give the user the assurance that a Debian developer was
>> responsible for building and providing the package?
> Not really, they give the assurance that it was built by someone who at
> some point possessed a key that at some point was considered sufficient
> to identify a Debian developer or a buildd.
> What assurance would you take from a package signed by Chip's old key?
> (And why do you think it's actually helpful? Debian developers build
> *lots* of crap, especially if you can't differentiate stuff uploaded to
> Debian and not)
They also upload *lots* of crap. Should we stop using Release.gpg now?