Re: Chosing release goals for slink
Hi,
>>"Marco" == Marco d'Itri <md@linux.it> writes:
Marco> On Jul 11, Marco Budde <Marco.Budde@hqsys.antar.com> wrote:
>> We should add PGP or GPG support for dpkg, so that we can include a
>> signature in the deb packages themselves.
Marco> No, we shouldn't do that because we must have an easy way to sign a
Marco> package when the PGP key is not on the same computer used to build it.
Umm, that is not a strong enough a reason for not adding
signatures; just a reason for not making signature verification
mandatory.
If indeed we decide on this, and hooks are added to the
package management system, then a copy of the debian keyring maybe
included with dpkg as a fallback, with the understanding that the
keyring in a well defined place shall be checked first (of course
verifying the keyring with a built in signature check -- there are
ways of bootstrapping checks like this).
If the key does not exist in the keyring, the user may be
offered a choice to aquire the latest keyring (signed by a well known
key, of course).
If the signature is invalid, then the user maybe offered a
choice to abort installation.
So, signature verification is doable. Heck, MS does it on
their net installs, we certainly should be able to.
manoj
--
The insolent civility of a proud man is, if possible, more shocking
than his rudeness could be; because he shows you, by his manner, that
he thinks it mere condescension in him; and that his goodness alone
bestows upon you what you have no pretense to claim. -- Chesterfield
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: