On Wed, Aug 28, 2019 at 04:02:32PM +0500, Andrey Rahmatullin wrote:
> On Wed, Aug 28, 2019 at 12:09:41AM -0400, Scott Kitterman wrote:
> > I also check that the signature validates when I download a package from the
> > archive. I like the fact that this signature connects to a developer key in
> > the keyring.
> I think this doesn't work for e.g. old packages whose last uploader is
> already retired or changed the key.
it does, though nobody said it was easy.
src:debian-keyring is available on snapshot.d.o, so it's possible.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature