* Hans-Christoph Steiner: > That should then result in a debian-generated jar that has the > martus signature on it. If Debian Security needed to update the > package to fix an urgent issue, then they could still do so. The > package build process would only include the upstream signature from > martus.jar if it was an exact match. The security fixed version > would then result in an unsigned jar, which is standard for jars in > Debian.
How would you tell a legitimate security update from a version that lacks a signature for other reasons? -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
