[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

On Fri, Mar 19, 2010 at 10:38:24AM +0100, Goswin von Brederlow wrote:

> You can always sign the deb. The tools to sign and verify are all
> present. Only ftp-master stands in the way of using that.

I would love signed debs. But this is orthogonal to signed checksum
files and should probably discussed separately.

> And you could automatically download the changes files along with every
> deb and keep all changes files for installed package/version
> locally. Anyway, I don't consider a ftp/http client a lot of
> infrastructure. It would be trivial to write a tool that downloads the
> changes files for every installed package and verifies it.

The central repository is the infrastracture, not the http client. 

> All changes files are already kept. And you would go directly to
> fetching the changes file for the package/version you have
> installed. All it would need is for the changes file archive to become
> public.

If the signature was part of the package, this wasn't needed.


Reply to: