Re: thoughts on signature verification
On Thu, 2002-08-08 at 03:42, Anthony Towns wrote:
> Apt can/should handle things in a more complicated way; in particular if
> it's downloading packages from Debian it should expect a Debian signature,
> while downloading Blackdown Java or OpenOffice.org stuff should have a
> signature from a Blackdown or OpenOffice.org key.
> Dpkg, OTOH, can't tell where a package is meant to have come from,
Well, there is the Origin: field. debsig-verify maps that to a key to
verify. So it is in some sense verifying where the package was "meant
to have come from", no?
> c) Check that the signature is from the "Maintainer:"
Well, this breaks for NMU's...