On Sat, Oct 23, 1999 at 11:14:56AM -0400, Brian White wrote: > > Appologies, it's been tedious work going through all the dpkg bugs, and I > > seem > > to have overlooked a few details in going through these. There is a higher > > issue > > at stake here though. The real problem is that having a maintainer address > > that is not referenced in the key ring is, IMO, bad. So by allowing a > > feature that > > permits signing a maintainer address that isn't in the keyring, we are > > breaking > > some fundamental neccesities for package signing. > > It isn't a person's name that is the important entry in the keyring; it's > the digital signature that uniquely identifies someone. You could, in > theory, have multiple package maintainers at the same email address. The > fact that a full name is listed as part of the address is merely a > convienence for us humans. I think any lookup that would produce a > unique private key should be sufficient.
However these signatures are then gone. Which means that the only way to check a package's maintainer against the keyring is via the maintainer field. With your method, it would not be possible. Ben
