On Fri, Mar 09, 2001 at 08:58:26PM -0700, Jason Gunthorpe wrote: > > On Fri, 9 Mar 2001, Ben Collins wrote: > > > > Then IMHO they are not very worthwhile. When the best Debian can do is say > > > 'all packages are signed by one of these 800 keys' :P > > > > That's why the package should also get signed by the same dinstall key > > that signs the release sig :P > > Debian can't do that because of our mirror network.
Why not? I'm not saying anything about doing release sigs in a package, I am saying to sign a deb by dinstall as it passes through it and gets installed on the archive. Let's not keep bringing up this non-existent proposal to sign debs en masse for releases. > > Of course, which is why I said that the two compliment each other. > > If you really think that then let debsigs handle the things it is good at > and focus on that. I don't think the current dpkg patch has that kind of > focus. Of course it does. It verifies a package signature. What is not focused about that? > > other picks up. It's not a competition Jason, it's a cooperative effort > > here. No one is trying to step on any toes. > > I have consistently maintained the viewpoint that deb signatures allow > fine grained, highly paranoid security checking when used by a skilled > user. What I dispute is that they can be automated for use by Debian and > realize anything but a minor security increase. To me this dpkg patch in > its current form is exactly that sort of automation and I think it gives a > bad impression to our users. What you dispute is the lack of a policy to automate it. That policy (and by policy I mean adopted by the archive and package tools) has yet to be done, and is needed for the end result to be in a state that you say it isn't. It's a matter of time, which is why the patch was added to a CVS branch which will be in development for some time. It's not like this will be uploaded tommorrow, or even for woody. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
