[Goswin von Brederlow] > > Use 2: I have this Ubuntu CD and want to know which debs are from > > debian and which got recompiled > > > > Look for all debs that have a deb signature of the debian archive > > (to be added to dinstall at some point).
[Matthew Garrett] > The answer is "all of them", so this one's not very compelling. What? All Ubuntu .deb files went through ftp-master.debian.org at some point? I know you can't actually mean that. Hmmm, perhaps you meant "none of them"? If so, that's an Ubuntu-specific answer, because even if Ubuntu recompiles all packages, many Debian derivative distributions do not. Or did you mean signatures on individual debs are not useful for this purpose since one could instead simply archive the Packages and Release files for Debian unstable every day between one Ubuntu release and the next? While possible, this has approximately the same absurdity factor as asking users to subscribe to debian-devel-changes and keep enough mail archives around to verify developer signatures *that* way. (Yes, believe it or not, that has actually been proposed!)
signature.asc
Description: Digital signature
