Bug#773850: ITP: signify-openbsd -- Lightweight cryptographic signing and verifying tool
On 31/12/14 06:23, Florian Weimer wrote:
> * Riley:
Thanks for your review! I've uploaded the latest version of the package
to mentors, with the below changes. You can get it using:
dget -x
http://mentors.debian.net/debian/pool/main/s/signify-openbsd/signify-openbsd_8-1.dsc
>> Similar to GNU Privacy Guard (GPG), signify is the tool which
>> OpenBSD uses to cryptographically sign its releases, so that
>> you can be sure that you are actually getting a release made by
>> OpenBSD, as opposed to a malicious forgery designed to look
>> the same.
>
> You can't use the package as-is for verification because it does not
> ship the OpenBSD signing keys (and rightly so). This is different
> from OpenBSD where the signing keys are baked into the distribution
> (but obviously, you have to do that leap of faith just once, same with
> Debian, more or less).
I've added a note about this in the package description and the manpage.
The note in the manpage has been accepted by upstream.
>> Signify's usage is not limited to OpenBSD's releases, however -
>> it can be used to sign any software.
>
> (And not just software.)
Changed to "anything" instead of "any software"
>> So that it will work on Linux, the version of signify provided
>> in this package is not exactly the same as the version provided
>> in OpenBSD's CVS tree; however the upstream changes are
>> frequently merged.
>
> That's not actually true once this package ends up in a stable
> release.
Okay, good point. I've removed this notice.
> There's been a recent change which you should pick up (“fingerprints”
> are no more).
I've made the change in a patch. There's no point sending this upstream,
since when upstream next syncs with OpenBSD's CVS, they'll get this
change anyway.
Reply to: