[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

* Hans-Christoph Steiner:

> That should then result in a debian-generated jar that has the
> martus signature on it.  If Debian Security needed to update the
> package to fix an urgent issue, then they could still do so.  The
> package build process would only include the upstream signature from
> martus.jar if it was an exact match.  The security fixed version
> would then result in an unsigned jar, which is standard for jars in
> Debian.

How would you tell a legitimate security update from a version that
lacks a signature for other reasons?

Reply to: