[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: thoughts on signature verification

On Thu, 2002-08-08 at 03:42, Anthony Towns wrote:

> Apt can/should handle things in a more complicated way; in particular if
> it's downloading packages from Debian it should expect a Debian signature,
> while downloading Blackdown Java or OpenOffice.org stuff should have a
> signature from a Blackdown or OpenOffice.org key. 


> Dpkg, OTOH, can't tell where a package is meant to have come from, 

Well, there is the Origin: field.  debsig-verify maps that to a key to
verify.  So it is in some sense verifying where the package was "meant
to have come from", no?

> 	c) Check that the signature is from the "Maintainer:"

Well, this breaks for NMU's...

Reply to: