On Jan 25, Brandon Mitchell decided to present us with: > The thought I had was to make pgp signatures of the package > files and save them as Packages.pgp. This will not interfear > with the current package files, therefore we are still > backwards compatable. Then apt could check for a pgp file and > verify it for the user. If it fails, it could just warn the > user and ask to continue.
Sounds good, as long as I can shut it off :-) Also, it should use the keyring in developers-keyring or one that comes with apt, otherwise the point is moot (anyone who can upload a .deb with a trojan can upload a Packages.pgp with a signature) > This would require: a) gnu's version of pgp to work (so that we > don't request non-free software to get the free software) Here we go again. This would have the problem of requiring all developers to switch to gpg. OTOH, we could just sign all packages with a same key ("the Debian key"); when dinstall verifies the signature and md5sum in the .changes file, it signs the package and updates Packages.pgp). One added advantage of this is that apt only has to care about one key - it may even have it hardwired if gpg permits. > and the bad part b) someone to be at the console when > generating packages files to type the pgp password. Huh? You don't need the passphrase to verify signatures. []s, |alo +---- -- I am Lalo of deB-org. You will be freed. Resistance is futile. http://www.webcom.com/lalo mailto:[EMAIL PROTECTED] pgp key in the web page Debian GNU/Linux -- http://www.debian.org