Anthony Towns <aj@azure.humbug.org.au> writes: > On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote: >> Anthony Towns <aj@azure.humbug.org.au> writes: >> > .deb signatures are aimed at giving users some sort of assurance the >> > package is "valid"; but when you actually look into it -- at least in >> > Debian's circumstances -- those signatures can't actually give any >> > meaningful assurance for any specific validity. >> Don't they give the user the assurance that a Debian developer was >> responsible for building and providing the package? > > Not really, they give the assurance that it was built by someone who at > some point possessed a key that at some point was considered sufficient > to identify a Debian developer or a buildd. > > What assurance would you take from a package signed by Chip's old key? > > (And why do you think it's actually helpful? Debian developers build > *lots* of crap, especially if you can't differentiate stuff uploaded to > Debian and not) > > Cheers, > aj
They also upload *lots* of crap. Should we stop using Release.gpg now? MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]