Steve Langasek wrote:
> On Tue, 27 Feb 2001, Peter S Galbraith wrote:
>
> > In fact, make _sure_ you don't allow access to a signed .changes
> > file on an unofficial web page because that would allow anybody
> > to upload it to Debian. It's signed after all.
>
> Are the Debian upload queues not all password-protected?
I thought there were some anonymous ones. I've never used them
so I'm not certain.
> If they aren't all password-protected, then how can we cryptographically sign
> packages which are not suitable for upload into Debian that we want to
> distribute from our own sites?
You can safely use the signed .dsc file for the source part.
The signed .changes files really only adds the .deb to that, but
the .deb itself isn't signed, so sign any ascii file that
displays the md5sum of the .deb. It doesn't have to be the
.changes file at all.
Peter
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]