On Thu, 25 Oct 2007, Sami Liedes wrote: > > However, it still fails to do what you describe: The .dsc can be > > signed by *anyone* whose key I happen to have in my keyring, not only > > by the person in the Maintainer: field, without giving any clue to > > whose signature the .dsc has. I can't think what that's good for. > > Krhm. It seems I got ignored after first misunderstanding the intent > of the programmer even if his code doesn't work. > > Even at the risk of being flamed at, I need to point out that this is > still a very real security bug. apt purpots to verify something > gpg-wise, but utterly fails. I guess we are lucky it's not very > verbose about its attempt to verify so there's hope nobody trusts it, > but that's just a partial defense. As I pointed out in my previous > mail, the fact that a key exists in some user's public key ring simply > does not imply any trust at all. Allowing anyone's valid signature in > the .dsc, not only the maintainer's, is just plain broken behavior.
Sorry, signature is about making sure you can identify who is the author of the source package. It's written nowhere than only DD should be able to sign source packages. It's not a security bug, it's a feature. You might want to convert this in a wishlist bug asking for a parameter where you can list keyrings to consider while checking the signature. But no more. I don't think the default behaviour will ever change. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/