GetDeb Project
Scott Kitterman
ubuntu at kitterman.com
Wed Oct 17 17:04:05 UTC 2007
On Wednesday 17 October 2007 10:15, João Pinto wrote:
> > I disagree. If I'm pulling a .deb from LP over https, I have a lot more
> > confidence in that than one that's signed, but from some external site.
>
> Not
>
> > ideal, but it's better.
>
> Scott,
> if your trust is based on the URL of the download and not on the PGP
> signature validation, then you do not care or you do not understand what
> is the PGP signature role.
>
> I strongly recommend you some reading like:
> http://cryptnet.net/fdp/crypto/strong_distro.html
> http://wiki.debian.org/SecureApt
>
The fact that you signed a package and the signature validates just means that
I got what you packaged and signed. My trust in that package is no higher
than my trust in you.
If I download a file from LP, I know I got the file than Ubuntu developers
uploaded (unless LP has been hacked, a risk I'll consider nil).
Ideally the .debs off LP would be signed, but I'll take that over packages
from a site that has repeatedly stated they won't meet Ubuntu packaging
standards with no hesitation.
Scott K
More information about the Ubuntu-devel-discuss
mailing list