On Wednesday 17 October 2007 10:15, João Pinto wrote: > > I disagree. If I'm pulling a .deb from LP over https, I have a lot more > > confidence in that than one that's signed, but from some external site. > > Not > > > ideal, but it's better. > > Scott, > if your trust is based on the URL of the download and not on the PGP > signature validation, then you do not care or you do not understand what > is the PGP signature role. > > I strongly recommend you some reading like: > http://cryptnet.net/fdp/crypto/strong_distro.html > http://wiki.debian.org/SecureApt >
The fact that you signed a package and the signature validates just means that I got what you packaged and signed. My trust in that package is no higher than my trust in you. If I download a file from LP, I know I got the file than Ubuntu developers uploaded (unless LP has been hacked, a risk I'll consider nil). Ideally the .debs off LP would be signed, but I'll take that over packages from a site that has repeatedly stated they won't meet Ubuntu packaging standards with no hesitation. Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
