On 29 aug. 2013, at 09:39, Florian Weimer <f...@deneb.enyo.de> wrote:
> How would you tell a legitimate security update from a version that > lacks a signature for other reasons? If you are worried about a non-official/malicious update for the package, the .deb will still need to have a proper signature. The discussion here is the signature on the jar file that is read/verified by the jre. -- Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dedc154-c4cc-4ded-86ec-373b760de...@vdberg.org