On Thu, 24 Nov 2005, Anthony Towns wrote: > Personally, I think it's cryptographic snake oil, at least in so far
A signed deb has a seal of procedence and allows one to track the path it made through the system, and who changed it. It ties a non-trustable timestamp to every singed step in that path, but that has limited use. It allows one to verify against tampering of the data along that path. It does no more. Nobody who really knows what he's talking about claimed that it did. I do claim that a criptographic seal of procedence and non-tampering IS valuable information, and also that dpkg-sig delivers that information in a much more usable and universal way than anything else we have currently. > > something that provides DD-to-user package signatures at least in some > > cases is very desirable indeed. > > debian-devel-changes provides this. Not in a very useable form, and only for Debian packages uploaded to the official Debian archive. This is hardly good enough. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]