On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote: > Anthony Towns <aj@azure.humbug.org.au> writes: > > .deb signatures are aimed at giving users some sort of assurance the > > package is "valid"; but when you actually look into it -- at least in > > Debian's circumstances -- those signatures can't actually give any > > meaningful assurance for any specific validity. > Don't they give the user the assurance that a Debian developer was > responsible for building and providing the package?
Not really, they give the assurance that it was built by someone who at some point possessed a key that at some point was considered sufficient to identify a Debian developer or a buildd. What assurance would you take from a package signed by Chip's old key? (And why do you think it's actually helpful? Debian developers build *lots* of crap, especially if you can't differentiate stuff uploaded to Debian and not) Cheers, aj
signature.asc
Description: Digital signature
