On 4/4/02 10:28 PM, "Max Horn" <[EMAIL PROTECTED]> wrote: > At 8:31 Uhr -0500 03.04.2002, Chris Zubrzycki wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Is there any way of signing the deb files in the bin dist to make >> sure they were make by an authorized developer? Is this in the plan >> for the future? I remember reading that debian maintainers signs >> thier packages. just a thought. > > See my mail to Jeremy for some information on this. > > No there is no way to automate the verification of signatures right > now. We could start to sign .debs in the future, though, and ship the > .sig's with them. That doesn't mean automatic checking, though. I > don't think apt-get / dselect support that right now, but I didn't > look into it yet either, so I might be wrong (anybody got a pointer > for me on this) ? > > > Max
In relation to the verification fo signatures, could this be a help in actually signing the packages?: http://packages.debian.org/unstable/non-us/debsigs.html If I remember correctly, there is a program that could be installed by the dpkg tools that automatically signed the packages, or it might have been debhelper, I'm not sure. Anyway, to automatically sign each package created, wouldn't that mean that the individual maintainers would have to build the packages for the stable distribution? That could lead to some inconsistencies... Alternatively, for the binary distribution, if all the packages are built on the one machine, say... A SF Compile Farm server (if it was certain that it could not be tampered with, although I think you said before that it would not be wise to build on them, Max), they could be signed by the one key... _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
