On Thu, Nov 24, 2005 at 10:43:38AM -0200, Henrique de Moraes Holschuh wrote: > On Thu, 24 Nov 2005, Anthony Towns wrote: > > On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote: > > > On Thu, 24 Nov 2005, Anthony Towns wrote: > > > > Personally, I think it's cryptographic snake oil, at least in so far > > > A signed deb has a seal of procedence and allows one to track the path it > > > made through the system, and who changed it. > > That's what the .changes file is for. > Well, assuming .changes is not snake-oil, then why should in-deb sigs be > called snake-oil? After all, according to you they essentially do the same > job. Sure, and sugar water is okay for quenching your thirst, but it's still snake oil as far as, say, curing cancer is concerned. .deb signatures are aimed at giving users some sort of assurance the package is "valid"; but when you actually look into it -- at least in Debian's circumstances -- those signatures can't actually give any meaningful assurance for any specific validity. .changes files aren't aimed at users, they're aimed at the archive -- the fact that they become more complicated to validate over time isn't a problem, because they're not expected to be validated in the future on a regular basis. > Still, .changes file do not carry all the information in-deb sigs do > (although they could, if we sign the .changes files more than once -- but > changes are DAK will croak on that too). You can have multiple signatures on a .changes file easily -- you strip the old signature, add a new one, and tar the two (or more) files up together. Or you use detached signatures of an origianl signed or unsigned changes file. That has nothing to do with dak or Debian though. > Not to mention that doing the inverse path (from .deb to .changes) is far > more complicated than using in-deb sigs, *shrug* Grepping through files isn't that difficult. You can use indices to make it quicker if it matters, but it doesn't. > > Uh, packages not uploaded to the official Debian archive can do whatever > > they want. > Sure. But I for one won't be building all debs twice, Uh, you add a signature to a .deb after building it. Upload the .deb to Debian before signing it if you want it both in Debian and in some local repository that requires signed debs. > So, it makes a damn big difference if the Debian archive accepts signed debs > or not. Cheers, aj
Attachment:
signature.asc
Description: Digital signature