[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hurd-i386 and kfreebsd-{i386,amd64} removal

On 4/13/2019 12:49 PM, Aurelien Jarno wrote:
> The process to inject all packages to debian-ports is to get all the
> deb, udeb and buildinfo files from the archives (main and debug) and
> associate them with the .changes files that are hosted on coccia. We'll
> also need to fetch all the associated GPG keys used to sign the changes
> files. Then we can inject that in the debian-ports archive.
I'm curious how the GPG bit works given that there is no guarantee that
the signature can be validated at any other point in time than ingestion
on ftp-master - especially considering the rotation/expiry of subkeys
and buildd keys. In this case the files already come from a trusted
source and should be ingested as-is, I guess? (Not that I particularly
like the fact that it's only a point in time validation.)

Kind regards
Philipp Kern

Reply to: