Le 29/08/2013 11:21, Richard van den Berg a écrit : > On 29 aug. 2013, at 09:39, Florian Weimer <fw@deneb.enyo.de> wrote: > >> How would you tell a legitimate security update from a version that >> lacks a signature for other reasons? > > If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. > Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says "signature could be omitted if quick update is needed"… What's the point having signed JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or you don't use signed JAR at all… Regards, -- Sebastien
Attachment:
signature.asc
Description: OpenPGP digital signature