On Mon, Feb 11, 2008 at 01:03:18PM +0100, Frank Lichtenheld wrote: > > > > > The whole thing honestly doesn't do much for security anyway until the gpg > > > > > support of dpkg-source is largely improved. For that I have no real concept > > > > > yet, though. > > > > Well, apt verifies them when it downloads the source before passing > > > > it to dpkg to unpack; and there's also verification when entering the > > > That would be news to me. And I can't seem to find that in the code, > > > either. > > $ apt-get source dpkg > > Failed to fetch http://blah/debian/pool/main/d/dpkg/dpkg_1.13.25.dsc MD5Sum mismatch > I was talking about the GPG signature of the .dsc Ah, right. No, that's not done; the chain of trust is: dak: .changes -> .dsc/etc (maintainer gpg, md5) apt: Release -> Sources -> .dsc/etc (archive gpg, sha1/sha256, md5) Switching the .changes/.dsc/Sources checksum from md5 to sha1/sha256 still gets you the same benefit though. Cheers, aj
Attachment:
signature.asc
Description: Digital signature