Re: thoughts on signature verification

To: debian-dpkg@lists.debian.org
Subject: Re: thoughts on signature verification
From: Colin Walters <walters@verbum.org>
Date: 09 Aug 2002 00:33:16 -0400
Message-id: <[🔎] 1028867596.17875.22.camel@space-ghost>
In-reply-to: <[🔎] 20020808074222.GC25999@azure.humbug.org.au>
References: <[🔎] 1028783074.9642.24.camel@space-ghost> <[🔎] 20020808074222.GC25999@azure.humbug.org.au>

On Thu, 2002-08-08 at 03:42, Anthony Towns wrote:

> Apt can/should handle things in a more complicated way; in particular if
> it's downloading packages from Debian it should expect a Debian signature,
> while downloading Blackdown Java or OpenOffice.org stuff should have a
> signature from a Blackdown or OpenOffice.org key. 

Definitely.

> Dpkg, OTOH, can't tell where a package is meant to have come from, 

Well, there is the Origin: field.  debsig-verify maps that to a key to
verify.  So it is in some sense verifying where the package was "meant
to have come from", no?

> 	c) Check that the signature is from the "Maintainer:"

Well, this breaks for NMU's...

Reply to:

References:
- thoughts on signature verification
  - From: Colin Walters <walters@debian.org>
- Re: thoughts on signature verification
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: thoughts on signature verification
Next by Date: Re: Bug#155676: patch] dynamic sha1sums generation
Previous by thread: Re: thoughts on signature verification
Next by thread: Re: thoughts on signature verification
Index(es):
- Date
- Thread