>>>>> "Bron" == Bron Gondwana <[EMAIL PROTECTED]> writes:
[...] Bron> This doesn't work. The problem is basically: Bron> a) what about a package which they uploaded while valid, more than Bron> 6 months ago, that someone wants to download and install now. Bron> b) if by date, what's to stop someone backdating a package and Bron> falsifying a mirror/proxy with a copy of their package. The Bron> signature will still check out. AFAIK, developer keys aren't used to sign packages in the archive. They are only used to upload packages. When you check the signature from the repository, you are checking it against the Debian archive key (which changes periodically). (note: I am not a DD, and I've only been loosely following apt 0.6. But I am a package maintainer.) -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
