[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: process to include upstream jar sig in Debian-generated jar

On Sun, Sep 01, 2013 at 12:36:59PM +0200, Florian Weimer wrote:
How so?  The code that performs the signature check (or reports the
failure) relies on bits that we (Debian) ship.  It's impossible to
bootstrap trust, unless you already trust Debian.

There's no such thing as perfect security, only a series of tradeoffs. I'm honestly not familiar with the exact circumstances, but I'm assuming that the signature in question is validated via the jvm CA trust path. Is there an alternative way to sign a java applet in a debian autobuilder with a trusted key? You can obviously argue whether that's a useful property, but if you're a user who wants to be able to follow a consistent process between the debian version and other versions it's certainly nicer for it to "just work" rather than getting an explanation of why the debian way is better and what the user is trying to do doesn't make sense.

Mike Stone

Attachment: signature.asc
Description: Digital signature

Reply to: