Op ma 01-12-2003, om 14:34 schreef Goswin von Brederlow: [...] > Deb signatures method C: > > And now for something completly different. A man with 3 noses. :) > > Instead of keeping extra files with the signature of the deb the > information could be stored inside the deb itself. [...] As much as I like this idea in principle, storing signatures inside .debs has a serious problem: it won't work for us buildd maintainers. As I explain in my document on wanna-build (usually at http://people.debian.org/~wouter/wanna-build-states, but due to some problems with that machine temporarily currently at http://www.grep.be/wanna-build-states.html too), buildd maintainers do not manually log in to their autobuilder to sign each and every .changes on its hard disk; instead, they extract the .changes file from the mails of successful messages sent to them (and to logs@buildd.debian.org, which processes them into what people can look up on http://buildd.debian.org), sign that, and send it back. In reply, the buildd will move all files mentioned in the .changes to an upload directory for them to be uploaded. This results in quite a few mails daily for me, being "just" the admin of 2 (out of 11) m68k autobuilders; it must be a hell of a lot more for those such as Ryan Murray and James Troup, who are and/or have been the sole autobuilder maintainers for multiple architectures. Requiring us to log in to the autobuilder to sign the .deb remotely is not acceptable, for two reasons: * it's way too much work for most of us * it requires copying the secret key over, which is, uh, a bad idea. An alternative would be to copy over the .debs, sign them on the local hard disk, and upload them from there. That won't work either; it only solves the second problem (as you don't have to copy the secret key over), not the first, and it adds a bandwidth-related (if I have to download all packages arrakis successfully builds, have to sign them locally, and upload them again, I might exceed the download quota my ISP has implemented; requesting a higher quota involves paying for it) So unless you have a suggestion that would solve this particular issue, I'm afraid this idea won't work in practice. -- Wouter Verhelst Debian GNU/Linux -- http://www.debian.org Nederlandstalige Linux-documentatie -- http://nl.linux.org "Stop breathing down my neck." "My breathing is merely a simulation." "So is my neck, stop it anyway!" -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Attachment:
signature.asc
Description: Dit berichtdeel is digitaal ondertekend