Re: process to include upstream jar sig in Debian-generated jar

To: Hans-Christoph Steiner <hans@at.or.at>
Cc: debian-security@lists.debian.org, KevinS@benetech.org
Subject: Re: process to include upstream jar sig in Debian-generated jar
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 29 Aug 2013 09:39:44 +0200
Message-id: <[🔎] 871u5daqtb.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 521EC3C3.1090803@at.or.at> (Hans-Christoph Steiner's message of "Wed, 28 Aug 2013 23:45:07 -0400")
References: <[🔎] 521EC3C3.1090803@at.or.at>

* Hans-Christoph Steiner:

> That should then result in a debian-generated jar that has the
> martus signature on it.  If Debian Security needed to update the
> package to fix an urgent issue, then they could still do so.  The
> package build process would only include the upstream signature from
> martus.jar if it was an exact match.  The security fixed version
> would then result in an unsigned jar, which is standard for jars in
> Debian.

How would you tell a legitimate security update from a version that
lacks a signature for other reasons?

Reply to:

Follow-Ups:
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Richard van den Berg <richard@vdberg.org>

References:
- process to include upstream jar sig in Debian-generated jar
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: process to include upstream jar sig in Debian-generated jar
Next by Date: Re: process to include upstream jar sig in Debian-generated jar
Previous by thread: process to include upstream jar sig in Debian-generated jar
Next by thread: Re: process to include upstream jar sig in Debian-generated jar
Index(es):
- Date
- Thread