On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote: > A signature in the deb by a random developer is as trustworthy as the > changes file and you already trust that. So we are going from snakeoil > to snakoil. No harm done.
It's not the same, actually. A signature in a .deb needs to be made by a key which is still trustworthy at the time of verification, which could be quite some time in the future. The key which makes a .changes signature, in contrast, only *needs* to be valid at the time the upload is made -- if it is later compromised, it's not important, because by that time the archive signing key hsa taken over the role of integrity verification. Of course, using the signature on the .changes to verify the .debs independent from the archive at some later date is a nice side-benefit, but one which suffers from the same key-lifetime issues as in-deb signatures, and since the .changes from autobuilt uploads aren't publically available (apparently d-d-$arch-changes isn't archived, from info previously posted in this thread) that method of package authentication isn't going to be 100% reliable anyway. - Matt
signature.asc
Description: Digital signature
