Bug#41794: dpkg-buildpackage PGP key lookup
On Fri, Oct 22, 1999 at 07:42:39PM -0400, Brian White wrote:
> reopen 41794
> --
>
> Nobody bothered to send any information about why this bug was closed,
> but by looking through the logs...
>
> In the case of a key lookup in a ring, I can't see any reason why the
> email address alone would not be enough to make it unique. It's not
> a security thing since the security comes from having access to and
> the passphrase for the private key, so it's simply a matter of convienence.
> It would be convienent if dpkg wasn't so picky on this matter.
Appologies, it's been tedious work going through all the dpkg bugs, and I seem
to have overlooked a few details in going through these. There is a higher issue
at stake here though. The real problem is that having a maintainer address
that is not referenced in the key ring is, IMO, bad. So by allowing a feature that
permits signing a maintainer address that isn't in the keyring, we are breaking
some fundamental neccesities for package signing.
I still believe it is a bad idea and the bug should be closed since I wouldn't
ever want to see it implemented, but it's not my bug, nor am I the official
maintainer. So you are free to leave it as you see fit.
Ben
Reply to: