On Wed, Aug 28, 2019 at 04:02:32PM +0500, Andrey Rahmatullin wrote: > On Wed, Aug 28, 2019 at 12:09:41AM -0400, Scott Kitterman wrote: > > I also check that the signature validates when I download a package from > > the > > archive. I like the fact that this signature connects to a developer key > > in > > the keyring. > I think this doesn't work for e.g. old packages whose last uploader is > already retired or changed the key.
it does, though nobody said it was easy.
src:debian-keyring is available on snapshot.d.o, so it's possible.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc
Description: PGP signature
