On Fri, Mar 19, 2010 at 10:38:24AM +0100, Goswin von Brederlow wrote: > You can always sign the deb. The tools to sign and verify are all > present. Only ftp-master stands in the way of using that.
I would love signed debs. But this is orthogonal to signed checksum files and should probably discussed separately. > And you could automatically download the changes files along with every > deb and keep all changes files for installed package/version > locally. Anyway, I don't consider a ftp/http client a lot of > infrastructure. It would be trivial to write a tool that downloads the > changes files for every installed package and verifies it. The central repository is the infrastracture, not the http client. > All changes files are already kept. And you would go directly to > fetching the changes file for the package/version you have > installed. All it would need is for the changes file archive to become > public. If the signature was part of the package, this wasn't needed. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100319103042.gb1...@nn.nn
