Re: RFC: Signed packages and translations

To: Christian Kurz <shorty@debian.org>
Cc: <debian-devel@lists.debian.org>
Subject: Re: RFC: Signed packages and translations
From: Simon Richter <Simon.Richter@phobos.fachschaften.tu-muenchen.de>
Date: Sat, 1 Sep 2001 19:21:28 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.31.0109011913350.15409-100000@phobos.fachschaften.tu-muenchen.de>
In-reply-to: <[🔎] 20010901104918.B6527@salem.getuid.de>

On Sat, 1 Sep 2001, Christian Kurz wrote:

> > not be ascii armored since this would only introduce transmission overhead
> > and gain nothing. The file name for this file is constructed from the

> Why does it gain nothing? What about problems during transmission? The
> ascii armor output which is protected by a crc checksum would help
> notice such a transmission problem.

dpkg already has a mechanism for finding packages that have been corrupted
by transferring them in ASCII mode. I mean, the .tar.gz is already binary,
so why should the file following it be ASCII?

> > If the original filename is no more than sizeof(ar_name)-2 bytes long, ".s"
> > is appended to it. If it is longer, the part of the file name before the

> .s? Another new extension? If you want to achive confusion for our users
> and developers, that's a possible way to go. If you really don't want to
> use ascii armor, then the extension should be .sig or if you use
> ascii-armor then .asc.

The problem here is the filename length limit. I would have gone for
".sig" otherwise. Besides, you will only see those if you look at .deb
files directly.

> >  - An end user can verify who built the .deb file.

> And how many developers does a end user personally know, so that he
> trust them? In my humble opinion, this will not gain anything for the
> end-users.

Point taken. I still would like to keep the maintainer's signature in the
archive, but that's optional as long as the packages are signed by
someone.

> >  - Modify the autobuilders and existing developer scripts ("debsign") so
> >    that they call dpkg-deb to sign the packages additionally to signing the
> >    .changes file.

> Sign packages build by an auto-builder?

Of course. katie needs to verify that they were indeed created by an
"official" autobuilder.

   Simon

-- 
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
 Fingerprint: DC26 EB8D 1F35 4F44 2934  7583 DBB6 F98D 9198 3292
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!

Reply to:

Follow-Ups:
- Re: RFC: Signed packages and translations
  - From: Christian Kurz <shorty@debian.org>
- Re: RFC: Signed packages and translations
  - From: Niklas Hoglund <niklas.hoglund@telia.com>

References:
- Re: RFC: Signed packages and translations
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: RFC: Signed packages and translations
Next by Date: Re: RFC: Signed packages and translations
Previous by thread: Re: RFC: Signed packages and translations
Next by thread: Re: RFC: Signed packages and translations
Index(es):
- Date
- Thread