Signed upstream tarballs in Debian

by

In the past numerous file distribution servers were attacked and the attacker replaced a release tarball/zip with a modificated version including a backdoor. Usually the distributions use some kind of signatures to avoid such an attack against their own infrastructure but this doesn't include the initial retrieval of the source code from upstream (usually done through the tarballs).

More...

GnuPG Key Transition

by

I'm currently change my PGP key from 0xA901B029594CA03B to 0xEC371482956781AF. There are different reasons for that and this key is hanging around on my hd since a while, but dkg found a good reason why I should change now and gave some tips for the transition process.... and as a good Debian maintainer, I shouldn't going against the orders of an upcoming Debian developer :)

More...