Re: marillat false alarm?

To: debian-user@lists.debian.org
Subject: Re: marillat false alarm?
From: Jon Dowland <lists@alcopop.org>
Date: Tue, 1 Nov 2005 09:45:58 +0000
Message-id: <[🔎] 20051101094558.GA25556@alcopop.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 43669364.4050508@ix.netcom.com>
References: <[🔎] 43669364.4050508@ix.netcom.com>

On Mon, Oct 31, 2005 at 04:57:56PM -0500, Marty wrote:
> what really bothers me is having no way to validate marillat packages,
> since I'm running stable.  (That's another issue which I've tried to
> address without success.)

In Marillat's ftp archive are various .dsc files, for each package. This
is signed by his GPG key, which is in the debian-keyring package. The
file itself contains the md5sums of the constituent parts of the source
packages (diff.gz and orig.tar.gz). You can use these to build your own
binary packages.

If the binaries were tampered with, their md5sums wouldn't match the
.dsc file. If the .dsc file was tampered with, the signature wouldn't be
valid.

-- 
Jon Dowland
http://jon.dowland.name/

Reply to:

References:
- marillat false alarm?
  - From: Marty <martyb@ix.netcom.com>

Prev by Date: Re: 230 million SLOC
Next by Date: Re: Remote X login
Previous by thread: marillat false alarm?
Next by thread: Re: marillat false alarm?
Index(es):
- Date
- Thread