On Fri, 2003-12-05 at 04:54, Manoj Srivastava wrote: > > The only one which comes to mind is a rogue Debian developer that > > you do not wish to trust, even though the project trusts him. > > Not quite. The signed deb is non-repudiable authorship -- nice > to know whence the software cometh.
No it isn't. For it to be non-repudiable, you'd have to demonstrate that the key has not been compromised; that the developer knew what he was signing (as opposed to a trojaned gpg telling him one thing while doing another); etc. Proving those is quite impossible --- especially if he doesn't want you to: He can always compromise his own key, on purpose.
signature.asc
Description: This is a digitally signed message part
