> Note that signature date is part of the information > contained in the gpg signature block.
Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would also require checking that that package originated from debian, i.e. that the dsc matches the information known to a release file that's been signed by one of the debian archive keys. Anyway, done carefully, it could work. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
