[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

Le 29/08/2013 11:21, Richard van den Berg a écrit :
> On 29 aug. 2013, at 09:39, Florian Weimer <fw@deneb.enyo.de> wrote:
>> How would you tell a legitimate security update from a version that
>> lacks a signature for other reasons?
> If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. 

Yes but the whole thing looks weird, on one hand OP wants to include a
signed jar in the package, on the other hand he says "signature could be
omitted if quick update is needed"… What's the point having signed JAR
if unsigned JAR is legitimate too? Either you ban unsigned JARs or you
don't use signed JAR at all…


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: