Re: Uploads
On Mon, 19 Feb 1996, Bruce Perens wrote:
> Once the upload procedure is fully automated, I will require that .changes
> files be signed using PGP to verify the identity of the uploader. This will
> take a while, but I would suggest that developers become familliar with PGP
> now. (Bill Mitchell - please make "dchanges" capable of invoking PGP to sign
> the file.)
Please would you read the proposal by IanJ and me about an authentication
system for packages; it was posted to debian-devel last night. Comments
on it would be useful.
The message concentrates on the protocol for authentication, and doesn't
say much about how it would be implemented. My assumption (Ian may have
different ideas; we didn't discuss this) is that the information that's
currently put in the '.changes' file would be emailed to the validity
server along with the package maintainer's certificate for the package.
This server would then post an announcement of the package to
debian-devel.
The package maintainer would upload the package to the archive, where it
would wait in the appropriate Incoming directory. The certificate from the
validity server would be sent to the ftp site, where it would
automatically be merged with the package. The package would then be placed
in public view.
Manual intervention is only necessary in this system when a package needs
to be inserted into the archive immediately, or when a package maintainer
repudiates a signature.
Steve Early
sde1000@cam.ac.uk
Reply to:
- References:
- Uploads
- From: bruce@Pixar.com (Bruce Perens)