[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#41794: dpkg-buildpackage PGP key lookup

On Fri, Oct 22, 1999 at 07:42:39PM -0400, Brian White wrote:
> reopen 41794
> -- 
> Nobody bothered to send any information about why this bug was closed,
> but by looking through the logs...
> In the case of a key lookup in a ring, I can't see any reason why the
> email address alone would not be enough to make it unique.  It's not
> a security thing since the security comes from having access to and
> the passphrase for the private key, so it's simply a matter of convienence.
> It would be convienent if dpkg wasn't so picky on this matter.

Appologies, it's been tedious work going through all the dpkg bugs, and I seem
to have overlooked a few details in going through these. There is a higher issue
at stake here though. The real problem is that having a maintainer address
that is not referenced in the key ring is, IMO,	 bad. So by allowing a feature that
permits signing a maintainer address that isn't in the keyring, we are breaking
some fundamental neccesities for package signing.

I still believe it is a bad idea and the bug should be closed since I wouldn't
ever want to see it implemented, but it's not my bug, nor am I the official
maintainer. So you are free to leave it as you see fit.


Reply to: