On 29 aug. 2013, at 09:39, Florian Weimer <fw@deneb.enyo.de> wrote: > How would you tell a legitimate security update from a version that > lacks a signature for other reasons? If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. -- Richard