Scripsit Steve Langasek <[EMAIL PROTECTED]>
> On Wed, Jan 05, 2005 at 11:47:57PM +0000, Henning Makholm wrote:
>> Does it also apply to signing .dsc's?
> The archive scripts won't act on an uploaded .dsc without an accompanying
> .changes file, so this is not an issue. Moreover, signing your .dsc
> provides a trust path to your source code
I think that is what I meant: If I sign a .dsc that is not intended to
be uploaded, is there a risk that this trust path ends up in the
archive because somebody else constructs a .changes to put them in?
The "somebody else" would have to be a DD, but the signature the
general public [1] would see in aptable source repositories would be
mine.
Or do the archive scripts check that the key that signed the .dsc is
the same that signed the .changes accompanying them?
[1] People with suffientent knowledge would know to look up the
.changes in the PTS or the mailing list archives, but it is not
generally distributed afaiu.
--
Henning Makholm "Ambiguous cases are defined as those for which the
compiler being used finds a legitimate interpretation
which is different from that which the user had in mind."
