Hi, On Tue, Dec 18, 2007 at 12:11:24AM +0100, Mohammed Adnène Trojette wrote: > On Thu, Oct 25, 2007, Kees Cook wrote: > > This is when I'm signing over my sponsoree's. Many of their build > > practices include signing packages (it is good practice for their > > eventual self-uploading). This comes up most of all when I'm doing > > sponsored security updates. > > I really see signing over a sponsoree's signature a bad practice. The > only use case I see is myself signing with a second key which is not in > the keyring and wanting to re-sign over it.
Right -- that's exactly the use-case I mean. When I'm sponsoring someone, I already have their key in my keyring (and as such I can verify the integrity of their dsc/diff.gz/changes), but I need to resign the changes/dsc with my own key so the upload would be accepted. > You may also convince me I am wrong and I'll be happy to correct the > current behaviour. :-) No problem -- it's your call. :) I would like to see it implemented, though, which is why I made it an optional variable -- by default it continues to behave as before. Thanks! -Kees -- Kees Cook @outflux.net
