Re: dpkg-sig support wanted?

To: debian-devel@lists.debian.org
Subject: Re: dpkg-sig support wanted?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Tue, 29 Nov 2005 14:17:44 +0100
Message-id: <[🔎] 87wtirr3t3.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 20051125225248.GB21979@cyan.localnet> (Anthony Towns's message of "Sat, 26 Nov 2005 08:52:48 +1000")
References: <[🔎] 877jb0iswl.fsf@nahar.marcbrockschmidt.de> <[🔎] 87fypntzzo.fsf@mid.deneb.enyo.de> <[🔎] 20051123160817.GB13417@cyan.localnet> <[🔎] 20051123183705.GE29646@khazad-dum.debian.net> <[🔎] 20051124015433.GB15019@cyan.localnet> <[🔎] 20051124124338.GD17550@khazad-dum.debian.net> <[🔎] 20051125022052.GA19298@cyan.localnet> <[🔎] 878xvcqwqg.fsf@becket.becket.net> <[🔎] 20051125225248.GB21979@cyan.localnet>

Anthony Towns <aj@azure.humbug.org.au> writes:

> On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote:
>> Anthony Towns <aj@azure.humbug.org.au> writes:
>> > .deb signatures are aimed at giving users some sort of assurance the
>> > package is "valid"; but when you actually look into it -- at least in
>> > Debian's circumstances -- those signatures can't actually give any
>> > meaningful assurance for any specific validity.
>> Don't they give the user the assurance that a Debian developer was
>> responsible for building and providing the package?
>
> Not really, they give the assurance that it was built by someone who at
> some point possessed a key that at some point was considered sufficient
> to identify a Debian developer or a buildd.
>
> What assurance would you take from a package signed by Chip's old key?
>
> (And why do you think it's actually helpful? Debian developers build
> *lots* of crap, especially if you can't differentiate stuff uploaded to
> Debian and not)
>
> Cheers,
> aj

They also upload *lots* of crap. Should we stop using Release.gpg now?

MfG
        Goswin

Reply to:

References:
- dpkg-sig support wanted?
  - From: Marc 'HE' Brockschmidt <he@debian.org>
- Re: dpkg-sig support wanted?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: dpkg-sig support wanted?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: dpkg-sig support wanted?
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: dpkg-sig support wanted?
Next by Date: Re: dpkg-sig support wanted?
Previous by thread: Re: dpkg-sig support wanted?
Next by thread: Re: dpkg-sig support wanted?
Index(es):
- Date
- Thread