On Thu, 25 Oct 2007, Sami Liedes wrote: > > Sorry, signature is about making sure you can identify who is the author of > > the source package. It's written nowhere than only DD should be able to sign > > source packages. > > No, but it fails to do that either. It doesn't verify that it's signed > by the person in the Maintainer: field. It only verifies that it's > signed by _anyone whose key is in the user's public key ring_, and it > doesn't tell who.
The maintainer is not necessarily the uploader of the package to Debian. So such a check doesn't make sense. If you want to make sure that the package has been generated by a person part of a precise set, you'd ll need to request the --keyring option as I already explained. > That's not the feature you describe, and unless misunderstand > something, I don't think the current behavior is good for anything. If you don't pollute your personal keyring, it can be useful. Otherwise yes the current behaviour is not of much use. Not being useful doesn't make it a security threat, though. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
