On Thu, 2002-08-08 at 03:42, Anthony Towns wrote: > Apt can/should handle things in a more complicated way; in particular if > it's downloading packages from Debian it should expect a Debian signature, > while downloading Blackdown Java or OpenOffice.org stuff should have a > signature from a Blackdown or OpenOffice.org key.
Definitely. > Dpkg, OTOH, can't tell where a package is meant to have come from, Well, there is the Origin: field. debsig-verify maps that to a key to verify. So it is in some sense verifying where the package was "meant to have come from", no? > c) Check that the signature is from the "Maintainer:" Well, this breaks for NMU's...
