thoughts on signature verification
So, one of the things I want to do for the new dpkg-source is to
actually verify signatures on source packages. I noticed debsigs and
debsig-verify, but they appear to only operate on .deb packages.
What I think would be nice is to make debsig-verify a bit more generic,
so dpkg-source could use it to verify the signatures on .dsc files
Also, I do think that we could create a good default policy which would
provide a reasonable amount of additional security, and not be too
intrusive. Basically, the policy should default to verifying against
the Debian keyring, or /etc/dpkg/local-keys.gpg or something. That way
someone applying to NM could just drop their key in that file, and tell
their sponsor to do the same.
So Ben, what do you think about this?
Of course, we really need to make apt verify the Release signature