On Sun, Nov 06, 2011 at 01:44:08PM +0100, Tollef Fog Heen wrote: > ]] Lars Wirzenius > > | Assuming we're talking about each developer's personal key: what > | things would they be signing that matter? Package upload signatures > | are relevant only until the upload gets accepted into the archive, and > | after that it's the archive signing key that matters. > > Source packages are signed with the developer's key. Is the situation with source packages different from binary packages? Both are, as far as I can see, governed by the archive signing key. The .dsc is also signed by the uploader's key, but that shouldn't really matter. The validity of a source package can be traced from the archive's Release file and its signature. Hm, but dget and similar tools might not do that? If it does matter, we'll need to deal with not just key expiration, but also revocation, and removal of keys from the Debian keyring, and probabably other issues. Teaching the relevant tools to rely on the Release file would seem to be easier. This is pretty irrelevant to the topic of the thread, though, which is how we can help Debian people keep their own machines secure. -- Freedom-based blog/wiki/web hosting: http://www.branchable.com/
Attachment:
signature.asc
Description: Digital signature