On Wed, Jan 05, 2005 at 11:47:57PM +0000, Henning Makholm wrote: > Scripsit Martin Michlmayr <[EMAIL PROTECTED]> > > * Steve Langasek <[EMAIL PROTECTED]> [2005-01-05 15:12]:
> >> Be careful: in general, you should *not* sign changes files for > >> packages that are not intended to be included in the Debian archive. > >> Once the changes file is signed, anyone can upload your package to > >> the Debian archive whether that was your intent or not. > > Greg doesn't appear to be a Debian developer so neither of this > > applies. > But if he later *does* become a DD, the archive scripts might > retroactively accept his old changes file if somebody uploaded it, > wouldn't they? (I'd be surprised if they checked the creation date of > the signature, but things sometimes do surprise me). > Here I ignore the fact that a newer version would probably be in the > archive by then, for this particular package at least. In this case, I merely failed to realize Greg wasn't a DD. Both you and Martin are correct. > > The first paragraph is good advice in general, though. > Does it also apply to signing .dsc's? The archive scripts won't act on an uploaded .dsc without an accompanying .changes file, so this is not an issue. Moreover, signing your .dsc provides a trust path to your source code (in the case where you're making sourceful changes -- Greg did not, so probably shouldn't need to distribute a .dsc at all), so this is a good idea. -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
