Hi,
I deffinately feel that there should be some form of PGp verification
available for .debs and not only .dsc and .changes files. The fact that
it isn't convenient for developer's and autobuild scripts isn't very
relevant to the Debian end-user.
I do not think however it is enough to arbitrarily include a signed
md5sums file in /usr/doc/package. If a user has pgp2, pgp5, or gpg apt
should be able to automaticly verify a package before it is installed.
On Sun, Jun 20, 1999 at 11:37:21AM -0500, Manoj Srivastava wrote:
>
> Having a single key does indeed create a single point of
> failure, but this is a known fact, and we can expend significant
> effort to maintain the integrity of the single key (never put on a
> networked computer, only used for signing the debian keyring, etc).
This single point of failure would be more appairent to Debian than to
RedHat however. Since Debian is a distribution put together by
volunteers, developers, project leaders, and conceivably key maintainers
can come and go on a regular basis. A leak would be extremely possible
imho.
--
Shane Wegner: shane@cm.nu
Sysadmin, Continuum Systems: http://www.cm.nu Tel: (604) 930-0520
Personal website: http://www.cm.nu/~shane Fax: (604) 930-0529
PGP: keyid: 2048/F5C2BD91 ICQ UIN: 120000
Fingerprint: 8C 48 B9 D8 53 BB D8 EF
76 BB DB A2 1C 0D 1D 87
Attachment:
pgpXt7fqqkS8b.pgp
Description: PGP signature