[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote:
Yes but the whole thing looks weird, on one hand OP wants to include a
signed jar in the package, on the other hand he says "signature could be
omitted if quick update is needed"… What's the point having signed JAR
if unsigned JAR is legitimate too? Either you ban unsigned JARs or you
don't use signed JAR at all…

It leaves that decision of whether to run with the unsigned jar up to the user. I think this is a reasonable solution if it works in practice, and is similar in concept to what the openssl folks have done for FIPS validation.

Mike Stone

Attachment: signature.asc
Description: Digital signature

Reply to: