signatures for debs installed manually

To: debian-security@lists.debian.org
Subject: signatures for debs installed manually
From: Celejar <celejar@gmail.com>
Date: Mon, 7 Sep 2009 21:52:23 -0400
Message-id: <[🔎] 20090907215223.b5d332f8.celejar@gmail.com>

Hi,

Someone, such as a Debian maintainer, will occasionally request that
users test a package that he has built, but is not yet available in the
repositories, e.g.:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#52
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#60

Is there any way of ensuring making the package is legitimate?  IIUC,
since I'm not going through the repos with the apt tools, there's no
checking of signatures.  I suppose that I can trust the developer, and
verify that the email notification is legitimate by checking his pgp
signature, but how can I be sure that the package I download is the one
he uploaded?

This is largely an academic question, since in the real world, this is
probably secure enough for my needs, but I'd like to know if there's a
Right Way to do this.

Celejar
-- 
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

Prev by Date: Please help test openssl update
Next by Date: Re: signatures for debs installed manually
Previous by thread: Re: Please help test openssl update
Next by thread: Re: signatures for debs installed manually
Index(es):
- Date
- Thread