On 31/12/14 06:23, Florian Weimer wrote: > * Riley: Thanks for your review! I've uploaded the latest version of the package to mentors, with the below changes. You can get it using:
dget -x http://mentors.debian.net/debian/pool/main/s/signify-openbsd/signify-openbsd_8-1.dsc >> Similar to GNU Privacy Guard (GPG), signify is the tool which >> OpenBSD uses to cryptographically sign its releases, so that >> you can be sure that you are actually getting a release made by >> OpenBSD, as opposed to a malicious forgery designed to look >> the same. > > You can't use the package as-is for verification because it does not > ship the OpenBSD signing keys (and rightly so). This is different > from OpenBSD where the signing keys are baked into the distribution > (but obviously, you have to do that leap of faith just once, same with > Debian, more or less). I've added a note about this in the package description and the manpage. The note in the manpage has been accepted by upstream. >> Signify's usage is not limited to OpenBSD's releases, however - >> it can be used to sign any software. > > (And not just software.) Changed to "anything" instead of "any software" >> So that it will work on Linux, the version of signify provided >> in this package is not exactly the same as the version provided >> in OpenBSD's CVS tree; however the upstream changes are >> frequently merged. > > That's not actually true once this package ends up in a stable > release. Okay, good point. I've removed this notice. > There's been a recent change which you should pick up (“fingerprints” > are no more). I've made the change in a patch. There's no point sending this upstream, since when upstream next syncs with OpenBSD's CVS, they'll get this change anyway. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
