[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

On 29 aug. 2013, at 09:39, Florian Weimer <fw@deneb.enyo.de> wrote:

> How would you tell a legitimate security update from a version that
> lacks a signature for other reasons?

If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. 

-- Richard

Reply to: