On Sat, Oct 30, 2004 at 12:00:16PM +0200, Marc 'HE' Brockschmidt wrote: > Matthew Palmer <[EMAIL PROTECTED]> writes: > [...] > > If we can get individually-signed .debs, you won't even need to worry so > > much about getting the torrent files off a trusted mirror... > > dpkg-sig exists. Use it :)
Thanks for that, and I know all about it and sign all of my internally-generated .debs for work. However, I don't bother doing it for my Debian-uploaded ones because (a) anything built by an autobuilder won't have any sigs in it, (b) most other developers aren't signing, and (c) at this point in time, signed Release files and tracking down from there is the best way of verifying packages, and it's the only way that has much of a chance (from picking a package at random) of working. - Matt
signature.asc
Description: Digital signature
