Re: Bug#540215: Introduce dh_checksums
On Fri, Mar 19, 2010 at 10:38:24AM +0100, Goswin von Brederlow wrote:
> You can always sign the deb. The tools to sign and verify are all
> present. Only ftp-master stands in the way of using that.
I would love signed debs. But this is orthogonal to signed checksum
files and should probably discussed separately.
> And you could automatically download the changes files along with every
> deb and keep all changes files for installed package/version
> locally. Anyway, I don't consider a ftp/http client a lot of
> infrastructure. It would be trivial to write a tool that downloads the
> changes files for every installed package and verifies it.
The central repository is the infrastracture, not the http client.
> All changes files are already kept. And you would go directly to
> fetching the changes file for the package/version you have
> installed. All it would need is for the changes file archive to become
> public.
If the signature was part of the package, this wasn't needed.
harry
Reply to: