Hi, Someone, such as a Debian maintainer, will occasionally request that users test a package that he has built, but is not yet available in the repositories, e.g.:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#52 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513993#60 Is there any way of ensuring making the package is legitimate? IIUC, since I'm not going through the repos with the apt tools, there's no checking of signatures. I suppose that I can trust the developer, and verify that the email notification is legitimate by checking his pgp signature, but how can I be sure that the package I download is the one he uploaded? This is largely an academic question, since in the real world, this is probably secure enough for my needs, but I'd like to know if there's a Right Way to do this. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
