[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#41794: dpkg-buildpackage PGP key lookup

> > It isn't a person's name that is the important entry in the keyring; it's
> > the digital signature that uniquely identifies someone.  You could, in
> > theory, have multiple package maintainers at the same email address.  The
> > fact that a full name is listed as part of the address is merely a
> > convienence for us humans.  I think any lookup that would produce a
> > unique private key should be sufficient.
> However these signatures are then gone. Which means that the only way to
> check a package's maintainer against the keyring is via the maintainer field.
> With your method, it would not be possible.

That situation exists today.  Only the digital signature is verified.
Unless I'm mistaken, my key in the debian keyring does not have the
name I sign my packages as, though the email address will match.  If
somebody does a match for my email address, though, it will find a
unique entry.

                                  ( bcwhite@pobox.com )

 We've all had "bad experiences", but there is no such thing as bad experience.

Reply to: