[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

signing .changes files for not-for-Debian packages (was Re: Openjdk-8 in Debian/backports?)

On Tue, 30 Dec 2014, tony mancill wrote:

> I built them today using the method described above, and the .changes
> file (openjdk-8_8u40~b09-1_amd64.changes) is signed with my Debian GPG key.

If you do that, ABSOLUTELY MAKE SURE TO CHANGE THE LINE
	Distribution: unstable
to something like:
	Distribution: myppa

Otherwise, *everyone* could now upload these files to
ftp-master, which would result in YOU signing for an
(unauthorised) upload to Debian sid. With bad timing,
you would not even realise that before the time for
dcut passes. Big shit.

Or use a separate PGP key.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Reply to: