GetDeb Project

Scott Kitterman ubuntu at
Wed Oct 17 17:04:05 UTC 2007

On Wednesday 17 October 2007 10:15, João Pinto wrote:
> > I disagree.  If I'm pulling a .deb from LP over https, I have a lot more
> > confidence in that than one that's signed, but from some external site.
>  Not
> > ideal, but it's better.
> Scott,
> if your trust is based on the URL of the download and not on the PGP
> signature validation, then you do not care  or you do not understand what
> is the PGP signature role.
> I strongly recommend you some reading like:

The fact that you signed a package and the signature validates just means that 
I got what you packaged and signed.  My trust in that package is no higher 
than my trust in you.  

If I download a file from LP, I know I got the file than Ubuntu developers 
uploaded (unless LP has been hacked, a risk I'll consider nil).

Ideally the .debs off LP would be signed, but I'll take that over packages 
from a site that has repeatedly stated they won't meet Ubuntu packaging 
standards with no hesitation.

Scott K

More information about the Ubuntu-devel-discuss mailing list