Fedora and Debian
Posted Apr 9, 2004 21:48 UTC (Fri) by EricBackus
In reply to: Fedora and Debian
Parent article: Which is the best distribution?
> Package signatures are not practical in a distributed
> project like Debian: they would require that all users
> get the entire Debian maintainer keyring in order to
> verify packages.
First of all, if Debian were so inclined, it could make it easy to get and verify the entire Debian maintainer keyring.
Second of all, the right solution would probably involve having a Debian Signer person (or group of people?) that signs packages, so end users need only verify against that one signature. The Debian Signer would of course have to be able to verify signatures from any Debian maintainer.
Third of all, even if making this work is difficult (which it shouldn't be), that's not a good enough excuse. Signed packages are *important*. Given that other distributions do this transparently and Debian doesn't, I really don't understand why anyone uses Debian at all.
to post comments)