On Thu, Oct 25, 2007 at 08:10:08AM +0200, Raphael Hertzog wrote: > On Thu, 25 Oct 2007, Sami Liedes wrote: > > > However, it still fails to do what you describe: The .dsc can be > > > signed by *anyone* whose key I happen to have in my keyring, not only > > > by the person in the Maintainer: field, without giving any clue to > > > whose signature the .dsc has. I can't think what that's good for. > > > > Krhm. It seems I got ignored after first misunderstanding the intent > > of the programmer even if his code doesn't work. > > > > Even at the risk of being flamed at, I need to point out that this is > > still a very real security bug. apt purpots to verify something > > gpg-wise, but utterly fails. I guess we are lucky it's not very > > verbose about its attempt to verify so there's hope nobody trusts it, > > but that's just a partial defense. As I pointed out in my previous > > mail, the fact that a key exists in some user's public key ring simply > > does not imply any trust at all. Allowing anyone's valid signature in > > the .dsc, not only the maintainer's, is just plain broken behavior. > > Sorry, signature is about making sure you can identify who is the author of > the source package. It's written nowhere than only DD should be able to sign > source packages.
No, but it fails to do that either. It doesn't verify that it's signed
by the person in the Maintainer: field. It only verifies that it's
signed by _anyone whose key is in the user's public key ring_, and it
doesn't tell who.
That's not the feature you describe, and unless misunderstand
something, I don't think the current behavior is good for anything.
Sami
signature.asc
Description: Digital signature
