>>>>> "Matthew" == Matthew Palmer <[EMAIL PROTECTED]> writes:
Matthew> I'm keenly interested in per-package signatures for Matthew> Debian packages -- I think they're a great idea and it's Matthew> a pity that they haven't received more interest. Same here. I would really like to see all packages signed, not just the source code and not just the archive (if any) they came from. I see advantages: * ability to check downloaded binary package even if it no longer exists in latest archive. * ability to trace the source of a binary package in a secure way, whether it was built by a maintainer, automatically built by an autobuilder (which one?), or built by some 3rd party. yes - I realize some people consider automatic signing by an autobuilder to be "insecure" - however I think it is more secure then not having any signature - when deciding on how much you trust it you need to take into account the source. Besides, I believe the archive is already signed automatically anyway. * this can occur without trying to look up the *.changes file (assuming it still exists - for packages never uploaded to Debian, maybe not). * others I am too lazy to think of. Matthew> I've never seen dpkg-sig mentioned before, only debsigs, Matthew> so I'm not familiar with the tool itself, but the concept Matthew> is one that needs a lot more exposure. I would speculate debsigs got a name change to dpkg-sig. Can somebody confirm or deny? -- Brian May <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]