Well, that the .deb isn't signed is nearly isomorphic with there not being a key. To have meaningful signatures, you need to be able to check the sig against what you get using the public key.
I ran Mandriva with RPMs back in the SS6 days. So I never would have looked for Debian signatures. I'm not following Snarly's comment about the value or lack thereof. For clueless users, having the repository be verified is a good thing. The build process can pull the code from SVN, make the package, and sign it. No human touch needed. All that is really verified is that the package came from Slim/Logi and came from approved sources. Which means that a bad guy didn't copy the .deb file, hack it with evil stuff, and then try to pass it off as a genuine SqueezeCenter. It also means that when the signatures fail, and the package installs the evil "rm -rf /" malware, Slim/Logi can have plausible deniability. -- pfarrell Pat http://www.pfarrell.com/music/slimserver/slimsoftware.html ------------------------------------------------------------------------ pfarrell's Profile: http://forums.slimdevices.com/member.php?userid=200 View this thread: http://forums.slimdevices.com/showthread.php?t=39374 _______________________________________________ beta mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/beta
