Re: Official Debian digital 'branding' of debs

To: Gunnar.Isaksson@saab.se
Cc: debian-devel@lists.debian.org
Subject: Re: Official Debian digital 'branding' of debs
From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
Date: 20 Jun 1999 17:46:42 +0200
Message-id: <[🔎] 87r9n6ri1p.fsf@rut.informatik.uni-tuebingen.de>
In-reply-to: Gunnar.Isaksson@saab.se's message of "Fri, 18 Jun 1999 10:43:49 +0200"
References: <[🔎] 376A06C5.F365D0E1@saab.se>

Gunnar.Isaksson@saab.se writes:

> Dear Sirs,
> 
> I have noticed that debian sources are PGP signed by their
> package maintainers but the debian binaries are not signed.
> 
> Since I work in a very security aware environment I would
> like every debian binary to also be PGP signed.

You can check the md5sums against the once from the Packages file. And 
the package file should probably be signed somehow to ensure its
correct. Or you can get the original packages file via ssh if you are
a maintainer.

Signing all packages automatically during upload is too risky in my
eyes, since then that main key would float around and be hacked too
easily. Signing all packages by the maintainers is not possible for
autobuild deamons and thus not worth at all to demand.

>...

May the Source be with you.
			Goswin

Reply to:

References:
- Official Debian digital 'branding' of debs
  - From: Gunnar.Isaksson@saab.se

Prev by Date: Re: HTML instead of GNU Info?
Next by Date: Re: Official Debian digital 'branding' of debs
Previous by thread: Re: Official Debian digital 'branding' of debs
Next by thread: Re: Official Debian digital 'branding' of debs
Index(es):
- Date
- Thread