On Mon, Oct 31, 2005 at 04:57:56PM -0500, Marty wrote: > what really bothers me is having no way to validate marillat packages, > since I'm running stable. (That's another issue which I've tried to > address without success.)
In Marillat's ftp archive are various .dsc files, for each package. This is signed by his GPG key, which is in the debian-keyring package. The file itself contains the md5sums of the constituent parts of the source packages (diff.gz and orig.tar.gz). You can use these to build your own binary packages. If the binaries were tampered with, their md5sums wouldn't match the .dsc file. If the .dsc file was tampered with, the signature wouldn't be valid. -- Jon Dowland http://jon.dowland.name/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
