On Tue, 2016-11-29 at 12:23 -0200, Helen Koike wrote: > > On 2016-11-20 09:27 AM, Ben Hutchings wrote: > > On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: > > > Add linux, grub2 and fwupdate to publish their signatures by calling > > > byhand-code-sign as they are supposed to have a *-signed version > > > > > > NOTE: this bypass embargoed updates. The proposed solution for this is by > > > making dak to publish the *-signed packages automatically, this will be > > > implemented in incremental basis as we advance to have a base code of the > > > *-signed packages > > > > [...] > > > > I missed that discussion so I don't understand how that's supposed to > > work. Is there a log somewhere? > > > > Ben. > > > > Log: http://pastebin.com/bSsUPrrA OK, so it is only a high-level proposal, not something that we know how to do. It would presumably require much bigger changes to dak. So let's instead work out how to publish signatures without revealing which package they are for. I think the following changes would be almost sufficient: 1. Directory listing is disabled for the directory containing signature tarballs. 2. In main source package, debian/rules adds debian/changelog to the code-sign tarball. 3. Byhand script generates the signature tarball name thus: OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz" 4. In signed source package, preparation script takes main source package's changelog as input. This is not binNMU-safe, so possibly we would need to keep the current naming for non-security uploads. Ben. -- Ben Hutchings Theory and practice are closer in theory than in practice. - John Levine, moderator of comp.compilers
Attachment:
signature.asc
Description: This is a digitally signed message part