Bug#41794: dpkg-buildpackage PGP key lookup
> > In the case of a key lookup in a ring, I can't see any reason why the
> > email address alone would not be enough to make it unique. It's not
> > a security thing since the security comes from having access to and
> > the passphrase for the private key, so it's simply a matter of convienence.
> > It would be convienent if dpkg wasn't so picky on this matter.
>
> Appologies, it's been tedious work going through all the dpkg bugs, and I seem
> to have overlooked a few details in going through these. There is a higher issue
> at stake here though. The real problem is that having a maintainer address
> that is not referenced in the key ring is, IMO, bad. So by allowing a feature that
> permits signing a maintainer address that isn't in the keyring, we are breaking
> some fundamental neccesities for package signing.
It isn't a person's name that is the important entry in the keyring; it's
the digital signature that uniquely identifies someone. You could, in
theory, have multiple package maintainers at the same email address. The
fact that a full name is listed as part of the address is merely a
convienence for us humans. I think any lookup that would produce a
unique private key should be sufficient.
Brian
( bcwhite@pobox.com )
-------------------------------------------------------------------------------
Relationships go through seasons. Winter often comes before Spring.
Reply to: