Re: process to include upstream jar sig in Debian-generated jar

To: Florian Weimer <fw@deneb.enyo.de>
Cc: Hans-Christoph Steiner <hans@at.or.at>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "KevinS@benetech.org" <KevinS@benetech.org>
Subject: Re: process to include upstream jar sig in Debian-generated jar
From: Richard van den Berg <richard@vdberg.org>
Date: Thu, 29 Aug 2013 11:21:53 +0200
Message-id: <[🔎] 4DEDC154-C4CC-4DED-86EC-373B760DEF04@vdberg.org>
In-reply-to: <[🔎] 871u5daqtb.fsf@mid.deneb.enyo.de>
References: <[🔎] 521EC3C3.1090803@at.or.at> <[🔎] 871u5daqtb.fsf@mid.deneb.enyo.de>

On 29 aug. 2013, at 09:39, Florian Weimer <fw@deneb.enyo.de> wrote:

> How would you tell a legitimate security update from a version that
> lacks a signature for other reasons?

If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. 

-- Richard

Reply to:

Follow-Ups:
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Sébastien Le Ray <beuss@orniz.org>

References:
- process to include upstream jar sig in Debian-generated jar
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: process to include upstream jar sig in Debian-generated jar
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: process to include upstream jar sig in Debian-generated jar
Next by Date: Re: process to include upstream jar sig in Debian-generated jar
Previous by thread: Re: process to include upstream jar sig in Debian-generated jar
Next by thread: Re: process to include upstream jar sig in Debian-generated jar
Index(es):
- Date
- Thread